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CHAPTER  1 


INTRODUCTION 

The  purpose  of  this  thesis  Is  to  develop  a  computerized  method 
which  aids  the  operators  of  complex  dynamic  systems  to  detect  failures 
and  to  locate  the  causes  In  real-time-  This  method  Is  designed  to 
eliminate  the  necessity  to  preprogram  the  possible  system  failure-modes. 
The  displays  Interfacing  the  method  with  the  human  operators  include 
probabilities  of  system  failures  calculated  by  a  statistical  model. 

The  increasing  complexity  and  size  of  systems  like  chemical  plants, 
power  stations  (fossil  or  nuclear),  ships,  and  airplanes  impose  on  the 
human  operators  high  cognitive  work  load.  This  load  is  increased  further 
when  the  system  malfunctions  because  then  the  operators  are  required  to 
take  corrective  actions  rapidly  and  promptly.  Under  such  imposed  stress 
the  operators'  reliability  is  decreased  [1],  and  as  a  result  severe 
accidents  may  occur  [2],  This  has  been  recognized  by  many  researchers, 
who  suggested  that  somehow  operators  be  aided  by  computers. 

Many  of  the  existing  failure  detection  methods  rely  on  prepro¬ 
gramming  the  possible  system  failure-modes,  all  of  which  cannot  prac¬ 
tically  be  considered.  Therefore,  a  method  which  avoids  this  require¬ 
ment  is  advantageous. 

Displaying  the  probabilities  of  failures  has  been  found  to  be 
very  helpful  to  the  operators  [3].  Therefore  displays  which  include 
these  updated  probabilities  are  advantageous. 
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During  the  last  three  decades  many  computerized  on-line  methods 
have  been  developed  for  failure  detection  and  location.  One  of  these 
methods  Is  based  on  a  fault/event  tree  analysis.  Here  the  potential 
significant  failure  modes,  their  logical  interrelations  and  their  con¬ 
sequences  are  preprogrammed  and  stored  In  a  computer.  The  computer 
checks  the  system  status  and  compares  It  with  the  stored  failure  modes. 

When  one  of  these  modes' Is  activated  an  alarm  Is  triggered  and  the  op¬ 
erator  Is  Informed. 

In  1968  Patterson  [4]  and  Wei bourne  [5]  designed  a  computerized 
alarm  and  display  system  for  a  nuclear  power  plant.  But  this  was  not 
used  because  Its  cost  was  prohibitive. 

In  1980,  with  the  advent  of  cheaper  computers,  Frogner  and 
Meijer  [6]  and  Bastle  and  Felkel  [7]  developed  a  failure  detection 
and  location  system  which  they  call  Disturbance  Analysis  System  (DAS). 
Recently,  it  has  been  recognized  that  DAS  should  be  designed  to  allow 
real-time  modification  and  extension  of  Information,  which  will  enable 
the  operators  to  test  unconsidered  failure  modes.  This  concept  is 
currently  motivating  the  development  of  DAS  in  a  second  generation: 
Disturbance  Analysis  and  Surveillance  System  (DASS). 

Another  method  which  implements  the  fault/event  tree  analysis 
was  suggested  by  Glmmy  and  Nomm  [8].  They  constructed  the  preprogrammed 
failure  modes  Into  special  tabulated  forms.  These  tables  can  easily  be  modi¬ 
fied  to  Include  unconsidered  failure  modes  in  the  fault/event  tree. 

A  system  that  poses  a  high  degree  of  redundancy  can  be  diagnosed 

using  Voting  Techniques.  In  the  standard  voting  scheme  the  outputs  of 
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three  or  more  Identical  Instruments  are  compared  and  simple  logic  Is 
utilized  to  detect  and  eliminate  faulty  Instruments.  Deckert  et  al.  [9], 
Gilmore  and  Mckem  [}0l  Pejsa  [11],  and  Broen  [12]  have  developed  voting 
schemes,  and  Louie  [13]  discusses  the  method's  different  applications. 

Ray  et  al.  [14]  proposed  a  voting  scheme  which  includes  analytic  re¬ 
dundancy  to  test  the  consistency  of  the  different  system  outputs. 

Nicholson  and  Lanning  [15],  and  Lind  [16]  have  independently  pro¬ 
posed  to  use  the  model  of  the  system  normal  operation  mode  to  diagnose 
system  failures.  Here  failures  are  detected  when  the  measured  system 
outputs  diverge  from  their  corresponding  model  values.  This  method  is 
advantageous  because  a  single  model  Is  compared  with  the  physical  system. 
Its  disadvantage  is  that  it  does  not  locate  the  causes  of  the  failures 
because  a  system-model  disparity  does  not  uniquely  locate  the  causes. 

To  obtain  the  location  capability,  It  has  been  proposed  by  Sheridan 
[1]  andHassan  [17]  to  break  the  aggregated  model  Into  submodels,  each  of  which  is 
forced  by  the  appropriate  system  measured  variables.  The  outputs  of 
these  submodels  are  compared  with  their  corresponding  system  outputs. 

A  deviation  of  the  outputs  of  any  submodel  indicates  that  its  corres¬ 
ponding  subsystem  has  failed.  The  disadvantage  of  this  method  is  that 
it  does  not  specify  the  compared  system-model  outputs.  In  practice, 
only  a  partial  set  of  the  many  system-model  outputs  is  compared.  This 
chosen  set  of  outputs  does  not  necessarily  detect  all  possible  system 
failures. 

A  method  that  disaggregates  the  model  of  the  system's  normal 
operation  mode  and  specifies  the  compared  system  and  model  outputs  is 


required.  This  method  has  to  be  able  (1)  to  detect  system  failures  by 
comparing  several  system  and  model  outputs ,  and  (2)  to  locate  these 
failures  quickly  and  reliably. 

The  objective  of  the  Failure  Detection  and  Location  Method  (FDLM) 
presented  In  this  thesis  is  to  meet  these  requirements. 

The  thesis  Is  organized  as  follows.  Chapter  2  defines  a  system 
failure  and  describes  the  new  Failure  Detection  and  Location  Method 
(FDLM).  The  advantages  and  limitations  of  FDLM  are  discussed  in 
Chapter  3.  Chapter  4  describes  more  complex  applications  of  the  method 
Human  factors,  considerations  and  experimental  determination  of  human 
operator/FDLM  Interface  are  discussed  in  Chapters  5  and  6,  respectively 
An  example  of  the  method's  application  Is  described  in  Chapter  7.  The 
conclusions  and  the  proposed  future  work  are  summarized  in  Chapter  8. 
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CHAPTER  2 

DESCRIPTION  OF  THE  FAILURE  DETECTION 
AND  LOCATION  METHOD  (FDLM) 

2.1  Definition  of  System's  Failure 

The  definition  of  failure  applies  to  systems  that  operate  by  trans¬ 
ferring  power  between  adjacent  subsystems  in  order  to  produce  a  desired 
rate  of  work.  A  fossil  power  plant  is  an  example  in  which  coal  or  oil 
is  burnt  to  generate  steam.  The  steam  is  expanded  through  turbine  stages 
which  rotate  generators  to  provide  the  desired  electric  power.  The  value 
of  the  transferred  power  between  two  adjacent  subsystems  is  denoted  by 
P,  and  Its  reference  value  under  normal  conditions  of  operation  by  Pn. 
The  system  Is  said  to  have  failed  if  the  absolute  value  of  the  difference 
between  P  and  Pn  lies  outside  preset  limits,  Sn.  To  locate  the  failure 
causes  the  system's  causality  should  be  considered. 

2.2  A  System's  Causal  Description 

In  1960  Paynter  [18]  introduced  the  concept  that  power  in  physical 
systems  flows  in  communication  channels  named  "energy  bonds".  According 
to  the  number  of  independent  variables,  which  determine  the  transferred 
power  in  these  bonds,  one  can  categorize  the  energy  bonds  into  three 
classes: 

1 .  Bilateral  energy  bonds. 

These  bonds  are  characterized  by  two  variables:  effort,  e,  and 
flow,  f.  The  product  of  these  variables  is  the  transferred  power,  P. 


P  =  e  •  f 
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(2.1) 


» 


The  effort  and  the  flow  variables  of  various  systems  are  simmarized  In 
Table  2.1.  In  electrical  systems,  for  example,  voltage  and  current  are 
the  effort  and  flow  variables,  respectively. 


TABLE  2.1:  EFFORT  AND  FLOW  VARIABLES  OF  VARIOUS  SYSTEMS 


EFFORT  (e) 

Mechanical 

Force 

Velocity 

Torque 

Angular 

Velocity 

Hydraulic 

Pressure 

Vol umetrl c 

Flow 

El ectri cal 

Voltage 

Current 

In  thermal  systems  the  effort  Is  the  temperature  and  the  flow  is  the 
entropy  rate  which  can  be.  evaluated  by  Indirect  temperature  measure¬ 
ments. 


The  concept  of  energy  bonds  leads  to  causal  descriptions  of  physi¬ 
cal  systems.  The  causal  description  of  a  system  consisted  of  bilateral 
energy  bonds  is  constructed  as  follows.  Consider  two  interacting  sub¬ 
systems,  S-j  and  Sg*  shown  in  Figure  2.1,  in  which  the  effort  is  supplied 
by  subsystem  S>| .  This  effort  causes  the  flow  to  achieve  a  value  which 
depends  on  the  impedance  of  subsystem  Sg*  Hence,  a  means  of  communi¬ 
cating  the  impedance  of  S2  back  to  must  be  provided.  In  this  example, 
the  effort  Is  determined  by  subsystem  S-j  and  communicated  to  S2,  where 
the  flow  is  determined  by  subsystem  Sg  and  communicated  to  S-j .  This  bi¬ 
lateral  causal  description  Is  shown  in  Figure  2.1. 

An  example  of  an  hydraulic  system  which  can  be  described  using  the 
bilateral  energy  bonds  is  the  two-tank  system  shown  in  Figure  2.2.  The 

causal  description  of  this  system  Is  shown  in  Figure  2.3. 
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equivalent  to: 


Fiqure  2.1  Causal  description  of  system  (S,  S2)  with  bilateral  enerqy 
bonds,  from  reference  18. 


I* 


2 .  Unilateral  bonds 


These  bonds  are  characterized  by  a  single  independent  variable, 
either  effort  or  flow,  as  shown  in  Figure  2.4.  The  co variable  of 
the  unilateral  bond's  Independent  variable  is,  in  most  cases,  constant 
in  its  value.  The  modified  two-tank  hydraulic  system  shown  in  Figure 
2.5  can  be  described  using  bi-lateral  and  uni -lateral,  energy  bonds. 

The  causal  description  of  this  system  is  shown  in  Figure  2.6.  This 
description  indicates  that  the  energy  bond  connecting  valve  A  and  tank  B 
is  uni-lateral.  The  independent  variable  of  this  bond  is  the  flow  F2, 
and  its  covariable  is  set  to  be  a  constant  atmospheric  pressure. 

3.  Multilateral  bonds 

When  the  number  of  independent  power  variables  exceeds  two,  the* 
energy  bonds  are  categorized  as  multilateral  bonds.  These  bonds  are 
used  to  simulate  thermofluid  systems  in  which  the  power  of  single  phase 
matter  is  a  function  of  three  variables.  Paynter  [19]  has  shown  that 
pressure,  flow  and  temperature  form  an  advantageous  set  of  variables. 
These  power  variables  are  shown  in  Figure  2.7.  Paynter  has  decomposed 
the  thermofluidic  power  into  two  terms:  fluidic  power,  which  is 
dominated  by  the  pressure  and  the  flow  variables,  and  thermal  power, 
dominated  by  the  flow  and  the  temperature. 

The  causal  descriptions  of  systems  with  multilateral  bonds  are  dis¬ 
cussed  in  Section  4.4. 

2.3  A  Failure  Detection  Method 

The  detection  of  a  system  failure  can  proceed  as  follows.  A 
computerized  mathematical  model  of  the  system  is  established.  The  sys- 


I 

Figure  2.7 


Causal  description  of  a  system  (S,  S^)  with  multilateral 
energy  bond.  c 
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tem  and  the  model  are  excited  by  the  same  Input.  The  power  trans¬ 
ferred  between  two  adjacent  subsystems,  1,  andjP^.  Is  measured  and 
compared  with  its  corresponding  model  value  P!Jj.  If  the  absolute 
value  of  the  difference  between  P^j  and  p”j  exceeds  prespecified 
limits,  6n,  then  a  failure  is  detected.  This  system-model  setup  de¬ 
picted  in  Figure  2.8,  detects  failures  but  does  not  locate  the  causes. 
Clearly,  a  malfunction  in  either  of  the  subsystems  could  result  in  the 
observed  power  deviation.  Furthermore,  in  the  case  of  a  multiple 
system  failure,  P^  might  not  deviate  from  its  normal  value,  P^j,  al¬ 
though  the  system  has  failed. 

2.4  Failure  Detection  and  Location  Method  (FDLM) 

The  method  developed  in  this  thesis  is  called  Failure  Detection 
and  Location  Method  (FDLM).  This  method  is  designed  to  overcome  the 
described  difficulties  and  its  applications  to  bi-,  uni-,  and  multi¬ 
lateral  energy  bonds  are  as  follows. 

2.4.1  Bilateral  Energy  Bonds 

The  independent  variables,  e$  and  f$,  of  the  power  transferred 
from  subsystem  1  to  subsystem  2,Pl2,  are  measured.  A  model  of  each  of  the 
two  subsystems  (submodel  1  and  submodel  2)  is  constructed,  as  shown  in 
Figure  2.9.  According  to  the  causalities  of  these  submodels,  the 
measured  system  effort  and  flow  variables  are  used  as  the  model  inputs. 

In  Figure  2.9  it  is  assumed  that  the  causalities  of  the  submodels 
are  such  that  e$  and  f  are  the  input  variables  of  submodels  1  and  2, 
respectively.  The  complementary  variables,  fm  and  em,  calculated  by 
the  model  are  the  model  output  variables.  Hence,  the  input  to  each 


submodel  Is  a  measured  system  variable,  the  covariable  of  which  Is 
calculated  by  the  submodel.  The  product  of  the  Input  and  the  output 
of  each  submodel  Is  the  submodel  calculated  power.  In  Figure  2.9  the 
power  values  of  submodel  1  and  2  are 


es  fm 


(2.2) 


(2.3) 


By  comparing  these  values  with  the  system  power  P12,  system 
failures  can  be  detected  and  the  location  of  their  causes  can  be 


Identified.  If  the  model  is  reliable  and  Pn^  differs  from  P^2»  the 
cause  of  the  failure  is  located  In  subsystem  1,  and  If  Pn2  differs 
from  Pj2  the  cause  Is  located  in  subsystem  2.  A  multiple  system 
failure  causes  both  Pnl  and  Pr2  to  differ  from  P12.  Thus,  FDLM  is 
capable  of  both  detecting  multiple  system  failures  and  locating  their 


causes. 


A  comparison  of  the  system  and  model  power  values  is  equivalent 
to  the  comparison  of  the  corresponding  effort  or  flow  variables.  The 
comparison  of  fm  and  f  (Figure  2.9)  is  equivalent  to  the  comparison 
of  Pnl  and  P12,  and  comparison  of  em  and  e$  is  equivalent  to  compari¬ 
son  of  Pn2  and  P-j2.  In  most  applications  the  effort  and  flow  compari 
son  is  advantageous.  However,  In  applications  where  the  efforts  and 
flows  change  their  values  rapidly,  the  power  comparison  is  advantageous 
This  is  true  since  the  power  in  these  cases  is  relatively  constant. 
Electrical  alternating  current  (ac)  machines  belong  to  this  class  of 


systems . 
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2.4.2  Unilateral  Energy  Bonds 


The  system  power  variable,  e$  or  f$,  Is  measured  and  a  model  of 
each  of  the  subsystems  (submodel  1  and  submodel  2)  is  constructed,  as 
shown  in  Figure  2.10.  According  to  the  causalities  of  these  submodels, 
the  measured  system  variable  Is  used  as  an  input  to  one  of  the  submodels. 

In  Figure  2.10  it  is  assumed  that  the  causalities  of  the  submodels 

are  such  that  f$  is  the  input  of  submodel  2.  f  is  the  model  output 

which  is  compared  with  the  measured  f  variable.  If  the  model  is 

reliable  and  f  differs  from  f  the  cause  of  the  failure  is  located  in 
s  m 

subsystem  1.  Thus,  In  the  unilateral  energy  bond,  the  failure  causes 
are  located  in  the  subsystem  which  is  on  the  tail  side  of  the  causality 
arrow. 

2.4.3  Multilateral  Energy  Bonds 

The  scope  of  this  thesis  is  limited  to  applications  of  FDLM  to 
multilateral  energy  bonds  in  which  there  are  three  independent  power 
variables.  Here  the  three  system  variables  pressure,  mass  flow,  and 
temperature  (P$,  Fs,  and  T§,  respectively)  are  measured  at  a  point 
in  the  system.  A  model  of  each  of  the  two  subsystems  (Submodel  1  and 
Submodel  2)  is  constructed,  as  shown  in  Figure  2.11.  According  to 
the  causalities  of  the  submodels  P  ,  F  ,  and  T  are  used  as  the  model 

5  5  5 

inputs. 

In  Figure  2.11  the  causalities  are  assuned  to  be  such  that  F$,  and 
T$  are  used  as  input  to  submodel  1  and  P$  Is  used  as  input  to  submodel 
2.  The  complementary  variables  P  ,  Fm,  and  Tm  are  the  model  output 
variables.  By  comparing  P  ,  F$,  and  T$  with  the  corresponding  model 
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Figure  2.11  FDLM  Application  to  a  system  with  multilateral  energy 
bonds  (3  independent  power  variables).  If  Pm  differs 
from  Ps  the  failure  is  in  subsystem  1  and  if  Fm  or  T^, 
differs  from  Fs  or  Ts,  respectively,  the  failure  is  in 
subsystem  2. 


variables  Pm»  Fm»  and  Tm  failures  can  be  detected  and  the  causes  can  be 

located.  If  the  model  is  reliable  and  P„  differs  from  Pm  the  failure 

s  m 

is  located  in  subsystem  1,  and  if  F$  differs  from  Fm  and/or  T$  differs 
from  Tm  it  is  located  in  subsystem  2.  Similarly  to  the  bilateral  en¬ 
ergy  bonds,  a  multiple  failure  may  cause  all  the  three  variables  to 
differ  from  their  corresponding  model  values. 

2.4.4  Refining  the  Failure-Causes  Location 

In  order  to  refine  the  location  of  a  failure  cause,  one  has  to 
divide  the  system  into  smaller  subsystems  and  to  perform  a  number  of 
comparison  tests  as  described  in  Sections  2.3.1  -  2.3.3.  These  tests 
can  be  performed  in  simultaneous  or  sequential  FDLM  modes.  The  FDLM 
simultaneous  mode  applied  to  bilateral  energy  bonds  is  shown  In  Figure 
2.12.  Here,  all  the  available  system  measured  variables  are  utilized 
simultaneously.  This  results  in  refining  the  locations  of  the  failure 
causes  at  the  expense  of  increasing  the  simultaneous  scanned  system 
and  model  output  variables.  The  FDLM  sequential  mode  applied  to  bi¬ 
lateral  energy  bonds  is  shown  in  Figure  2.13.  In  this  mode,  the  FDLM 
tests  are  performed  sequentially.  In  each  test  the  system  and  model 
outputs  of  a  single  measurement  point  are  utilized.  Here,  the  locations 
of  the  failure  causes  are  refined  at  the  expense  of  a  longer  search 
procedure.  The  trade-off  between  simultaneous  and  sequential  FDLM 
modes  is  discussed  further  in  Chapter  3. 

2.4.5  Updating  the  Model  Using  FDLM 

In  the  described  Failure  Detection  and  Location  Method  it  is  as¬ 
sumed  that  the  model  is  reliable  and  a  discrepancy  between  the  system 
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and  the  model  outputs  is  used  to  indicate  a  system  failure.  However, 
if  the  system  has  been  readjusted,  or  new  components  have  been  installed, 
one  can  use  the  FDLM  in  a  reverse  way  to  tune  or  update  the  model. 

This  Is  done  by  modifying  the  parameters  of  the  submodels  in  which  the 
causes  of  the  observed  system-model  disparity  are  located.  Such  modi¬ 
fications  should  be  in  a  direction  to  reduce  this  disparity,  and  the 
procedure  repeated  several  times'  until  the  disparity  is  insignificant. 

Thus  this  method  can  be  used  either  to  detect  system  failures,  or 
to  update  the  model  components,  depending  on  the  circumstances  of 
its  application. 

2.5  An  Example  of  FDLM  Applied  to  Bilateral  Energy  Bonds 

Consider  a  simple  hydraulic-mechanical -electrical  system,  shown  in 
Figure  2.14.  This  system  has  been  simulated  on  a  computer  and  its 
model  is  depicted  In  Figure  2.15.  A  system  failure  in  the  hydraulic 
motor  has  been  simulated  by  changing  its  coefficient.  We  assume  that 
measurements  can  be  taken  at  five  different  locations  in  the  system, 
points  1-5  in  Figure  2.14.  We  apply  FDLM  using  three  single  tests 
as  shown  in  Figure  2.16.  The  outputs  of  the  various  submodels  and  the 
corresponding  measured  variables  are  shown  in  Figure  2.17.  The  variables 
of  point  1  (Figure  2.17a)  indicate  that  the  failure  is  in  the  right 
subsystem.  The  variables  of  point  2  (Figure  2.17b)  indicate  that  the 
failure  is  still  in  the  right  subsystem.  The  variables  of  point  3 
(Figure  2.17c)  Indicate  that  the  failure  is  in  the  left  subsystem.  Thus, 
the  failure  is  between  points  2  and  3,  namely  it  is  the  hydraulic  motor. 
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Figure  2.14  A  description  of  an  hydraulic-mechanical -electrical 
system.  There  are  5  measurement  points  available 
(Points  1-5). 


Figure  2.16  A  sequence  of  three  FDLM  single  tests  applied  to  the  system  shown  in  Figure  2.14. 
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Figure  2.17a  FDLM  test  1.  Pressure  and  flow  measured  at  point  1  in 
the  system  compared  with  the  values  predicted  by  the 
model.  Since  FS  and  FM  are  different  the  failure  is  in 
the  right  subsystem. 


Figure  2.17b  FDLM  test  2.  Pressure  and  flow  measured  at  point  2  in 
the  system  compared  with  the  values  predicted  by  the 
model.  Since  FS  and  FM  are  different  the  failure  is  in 
the  right  subsystem. 
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^  1  Figure  2.17c  FDLM  test  3.  Torque  and  anqular  velocity  measured  at 

r  point  3  in  the  system  compared  with  the  values  pre- 

dieted  by  the  model.  Since  TS  and  TM  are  different  the 
failure  is  in  the  left  subsystem. 


CHAPTER  3 


ADVANTAGES  AND  LIMITATIONS  OF  FDLM 

3.1  System/Model  Comparison 

An  advantage  of  FDLM  is  that  it  utilizes  a  single  model  of  the 
system's  normal  operational  mode,  and  eliminates  the  necessity  to 
preprogram  the  system's  possible  failure  modes.  FDLM  is  capable  of 
detecting  and  locating  all  system  failures  which  result  in  significant 
output  deviations.  However,  in  order  to  apply  the  method  successfully 
the  location  task  has  to  be  completed  before  the  variables  of  the 
failed  system  wander  too  far  from  the  normal  range  such  that  the  model 
of  the  system's  normal  operational  mode  is  no  longer  valid.  This  can 
be  achieved  by  two  means:  (1)  early  failure  detection  (2)  efficient 
failure  location. 

3.1.1  Early  Failure  Detection 

FDLM  Is  proposed  to  be  applied  to  systems  which  are  continuously 
monitored  by  human  operators  or  conputers  during  the  operation.  By 
continuously  comparing  the  outputs  of  the  system,  Xg»  with  their 
corresponding  model  variables,  x^*  system  failures  can  be  detected 
sooner  than  would  have  been  possible  by  observing  x  crossing  its  preset 
safety  limits.  To  clarify  this  statement  consider  the  simulated  sys¬ 
tem  and  model  outputs  shown  In  Figure  3.1.  Here,  the  system  failed  at 
time  tQ.  This  failure  causes  xs  to  deviate  from  xm  and  at  time  tj,  the 
system-model  difference  (xs  -  xm)  exceeds  the  preset  allowable  thres¬ 
hold,  61]  indicating  a  system  failure.  Here,  the  failure  is  detected 
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Figure  3.1  The  system  output  x  crosses  its  safety  limit  at  time  t^.  whereas  the  system  model  deviation 
(lx  -  x  |)  exceedssits  allowable  threshold,  6,  at  time  t, . 


while  xs  Is  still  In  Its  normal  range.  xg  crosses  Its  safety  limit  only 
at  time  Hence,  a  system-model  comparison  can  result  in  early  failure 
detection  which  has  to  be  followed  by  an  efficient  location  procedure  to 
obtain  a  successful  FDLM  application. 

3.1.2  Efficient  Failure  Location  Procedure 

The  simultaneous  mode  of  FDLM,  depicted  for  the  bilateral  energy 
bond  case  in  Figure  2.12,  results  in  locating  the  system  failures  while 
the  detection  task  is  performed.  In  this  mode,  failures  are  detected 
and  defective  subsystems  are  located  simultaneously.  However,  this  mode 
requires  scanning  of  many  system  and  model  outputs.  In  large  scale 
systems  there  may  be  thousands  of  outputs  which  have  to  be  tested. 

These  tests  cannot  be  performed  simultaneously  unless  it  is  done  auto¬ 
matically  by  computer. 

The  sequential  mode  of  FDLM  requires  testing  of  only  a  few  system 
and  model  outputs  simultaneously,  so  that  the  cognitive  load  applied 
to  the  human  operator  is  minimized.  In  this  mode,  it  is  important  to 
apply  an  efficient  failure  location  procedure  which  will  identify  the 
defective  subsystems  soon  after  a  system  failure  has  been  detected. 

The  model  state  variables  turn  out  to  be  an  important  factor  in 
obtaining  an  efficient  location  procedure.  State  variables  are  as¬ 
sociated  with  storing  energy  components  which  introduce  time  delays 
and  dynamic  effects  into  the  model's  performance.  In  order  to  obtain 
an  efficient  location  procedure,  the  relative  position  of  the  model's 
state  variables  should  not  change.  In  the  simplest  case,  this  can  be 
obtained  by  disaggregating  the  model  into  at  least  n  submodels,  such  that 
each  submodel  contains  a  single  state  variable  at  the  most.  This  statement 
is  clarified  subsequently. 
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Consider  a  third  order  system,  as  shown  in  Figure  3.2.  Three  single 
sequential  FDLM  tests  (tests  1-3)  are  applied  utilizing  the  measured 
outputs  of  points  1-3.  The  state  variables  are  marked  as  S^-S3,  and  it 
is  assumed  that  one  of  the  system  components  has  failed.  The  defective 
component  is  marked  by  an  X  in  Figure  3.2.  The  outputs  of  test  1, shown 
in  Figure  3.4,  Indicate  that  the  failure  is  located  in  the  right  sub¬ 
system.  These  outputs  are  obtained  using  the  electric  network  shown 
in  Figure  3.3.  To  locate  the  failure  one  can  apply  the  FDLM  tests  2 
or  3,  shown  in  Figure  3.2.  In  test  2,  the  relative  positions  of  the  model  state 
variables  are  the  same  as  in  test  1;  S-j  is  in  the  left  submodel  and  S2 
and  S3  are  In  the  right  submodel.  The  outputs  of  test  2,  shown  in 
Figure  3.5,  indicate  Immediately  that  the  failure  is  still  in  the 
right  subsystem.  However,  In  test  3  the  relative  positions  of  the  model  state 
variables  are  changed;  S ^  and  S2  are  in  the  left  submodel  and  S3  is 
the  right  submodel.  The  outputs  of  test  3,  shown  in  Figure  3.6,  in¬ 
dicate  that  the  failure  is  still  in  the  right  subsystem  only  after  the 
left  system  and  model  outputs  coincide. 

Thus,  transferring  of  energy-storing  components  from  one  sub¬ 
model  to  the  next  Introduces  transient  modes  into  the  model  perfor¬ 
mance  and  results  In  a  long  failure  location  procedure;  whereas  by 
transferring  components  which  do  not  store  energy,  inrediate  results 
are  obtained  and  the  location  procedure  is  efficient. 

To  avoid  the  necessity  to  transfer  energy-storing  components  from 
one  submodel  to  the  next,  FDLM  should  be  applied  by  cutting  the 
aggregated  model  into  at  least  n  submodels,  such  that  each  submodel 
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Mgures  3. 4-3. 6.  The  three  measurement  point  (points  1-3)  correspon< 
measurement  points  shown  in  Figure  3.2. 


SS  -  Right  subsystem  output  variable. 
RM  “  Right  submodel  output  variable 


Figure  3. ’4  The  system  and  model  outputs  of  the  left  and  right 

submodels.  These  outputs  are  obtained  by  applying  the  FDLM 
test  1  and  indicate  that  the  failure  is  in  the  right  subsystem. 


K 


Figure  3.5  The  system  and  model  outputs  of  the  left  and  right  sub¬ 
models.  These  outputs  are  obtained  by  applying  the  FDLM 
test  2  and  indicate  immediately  that  the  failure  is  still 
in  the  right  subsystem. 
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Figure  3. 


6  The  system  and  model  outputs  of  the  left  and  right  sub¬ 
models.  These  outputs  are  obtained  by  applying  the  FDIM 
test  3  and  indicate  that  the  failure  is  in  the  right  sub 
system  only,  after  the  left  system  and  model  outputs 
coincide. 
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contains  one  energy-storing  component  at  most.  This  will  result  In  an 
efficient  failure  location  procedure. 

3.2  FDLM  and  the  Disaggregated  Model  Technique 

The  idea  of  detecting  and  locating  system  failures  by  cutting  the 
aggregated  model  Into  submodels,  and  comparing  the  outputs  of  the  system 
with  their  corresponding  submodels'  values  Is  not  novel.  It  has  been 
utilized  In  the  disaggregated  model  technique  discussed  In  [17].  How¬ 
ever,  FDLM  Is  distinguished  from  the  disaggregated  riodel  technique  by 
specifying  the  compared  system  model  outputs.  In  general ,  there  are 
many  system  outputs  which  could  have  been  coirpared  with  their  model 
values.  It  turns  out  that  a  system  failure  does  not  necessarily  cause 
all  of  these  outputs  to  deviate  from  their  normal  values.  Since  the 
number  of  outputs  of  a  system  Is  usually  large,  the  disaggregated 
model  technique  has  to  be  applied  by  comparing  only  some  of 
the  system  and  model  outputs.  This  may  lead  to  a  situation  where  a 
failure  has  occurred,  but  the  compared  system  and  model  outputs  will  not 
reflect  it. 

The  following  example  demonstrates  the  situation  described.  Con¬ 
sider  the  system  shown  In  Figure  2.14,  where  Its  model  is  disaggregated 
at  point  4,  and  the  right  submodel  is  shown  In  Figure  3.7.  The  right 
submodel  Input  Is  and  Its  outputs  are  t^,  tog,  Tg,  Eg  and  Ig  as 
shown  in  Figure  3.7.  The  mathematical  transfer  functions  of  these 

variables  relative  to  Input  u.  are  summarized  In  Table  3.1.  These 

s4 

functions  show  that  Tg  and  Ig  do  not  depend  on  the  bearing  friction 
coefficient,  b,  that  Efi  is  not  a  function  of  the  resistor  R,  or  b,  and 
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Figure  3.7  The  right  submodel  obtained  by  applying  FDLM  to  the  system 
shown  In  Figure  2.12  utilizing  measurement  point  4.  The 
submodel  Input  Is  W$^  and  outputs  are  t4,  t5,  Wg,  Eg»  V 

The  subsystem  components  are  the  bearings  (b),  generator 
(6),  and  resistor  (R^). 
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that  ug  equals  the  Input  variable,  u$  ,  and  does  not  depend  on  b,  R,  or 
the  generator  coefficient,  S.  Thus,  these  outputs  will  not  reflect 
failures  located  In  the  named  components. 


FDLM,  on  the  other  hand,  compares  the  power  variables  of  the  cut 

submodels.  These  variables  reflect  all  system  failures  as  defined  In 

Section  2.3.  The  power  of  the  right  submodel,  shown  In  Figure  3.7,  Is 

t, *u)_  and  this  variable  dapends  on  the  bearing  friction  coefficient,  b, 

4  s4 

the  generator  constant,  G,  and  the  resistor,  R^,  which  are  all  the  sub¬ 
model  components.  Thus,  comparison  of  the  power  variables  at  the  measure 
ment  point  Is  sensitive  to  failures  located  anywhere  within  the  system. 


3.3  Sensitivity  Analysis 

Sensitivity  analysis  Is  performed  by  measuring  the  resultant 
deviations  of  the  system  outputs  due  to  a  known  change  In  one  of  its 
parameters.  The  sensitivity  of  the  system  shown  In  Figure  2.14  Is 
analyzed  as  follows. 

The  values  of  the  seven  parameters  of  this  system  have  been  in¬ 
creased  by  202,  and  the  deviations  of  the  steady-state  outputs  have 
been  observed.  This  analysis  has  been  performed  while  applying  FDLM 
using  measurement  points  1-5.  The  results  of  this  analysis,  sunmarlzed 
In  Table  3.2,  Indicate  that: 


1.  The  steady  state  deviation  of  the  different  outputs,  due 
to  a  change  In  the  Inertia,  J,  Is  zero.  A  change  In  J 
Influences  the  outputs'  transient  responses,  but  does  not 
affect  their  steady  state  values.  As  a  result,  failures 
of  the  shaft's  Inertia  values  are  difficult  to  detect,  unless 
It  Is  fatal  failure  like  a  broken  shaft. 
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2.  The  deviation  of  the  outputs  at  measurement  point  3  due  to  a 
change  In  the  constant  of  the  hydraulic  motor,  k.  In  steady- 
state  conditions  In  Infinity.  This  Is  due  to  Integration 
effects  of  the  deviations  of  the  system  model  outputs  with 
respect  to  time.  This  Integration  phenomenon  may  cause 
false  alarms*  because  any  small  Imperfections  of  the  hydraulic 
motor  coefficient,  k,  will  result  In  large  output  deviations. 
Therefore,  measurement  point  3  should  not  be  used  to  apply 
FDLM. 

/ 

3.  FDLM  will  not  detect  all  system  component  failures  when 
the  outputs  of  a  single  measurement  point  are  used. 

By  using  measurement  point  1  or  2,  failures  of  the 
tank,  hydraulic  motor  and  the  bearings  can  be  detected. 
Measurement  point  5  detects  failures  of  the  generator  and 
the  load  resistor.  Thus,  one  can  apply  the  FDLM  using 
measurement  points  1  and  5  or  2  and  5,  simultaneously. 

In  this  way,  failures  located  in  the  tank,  hydraulic  motor, 
bearings,  generator  and  load  resistor  are  to  be  detected, 
where  malfunction  of  the  valve,  Ry,  and  the  shaft,  J,  are 
not  easily  detectable  using  this  method.  However,  these 
two  components  may  be  tested  using  fault/event  tree  analysis, 
or  other  available  methods. 

Thus  the  system's  sensitivity  can  limit  the  performance  of  FDLM 
In  detecting  system  failures.  It  has  been  shown  that  the  sensitivity 
of  some  system  components  may  be  low  or  even  zero,  and  as  a  result 
failures  located  In  these  components  are  very  difficult  to  detect.  On 
the  other  hand,  there  are  over-sensitive  components.  Imperfections  of 
which  will  cause  large  deviations  In  some  of  the  FDLM  outputs.  This 
over-sensitivity  results  In  false  alarms,  and  therefore  measurement 

points  which  cause  this  phenomenon  should  not  be  used.  It  seems  that 
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FDLM  best  results  are  obtained  by  utilizing  few  of  the  system  measure¬ 
ment  points  simultaneously.  This  results  in  a  fast  location  procedure 

(Section  3.1.2)  as  well  as  in  overcoming  low  components'  sensitivity. 

3.4  Sensor  Failures 

FDLM  is  designed  to  detect  and  locate  system  failures  based  on  a 
real-time  simulation  and  measured  system  outputs.  The  measured  outputs 
are  assumed  to  be  validated,  and  sensors'  malfunctions  are  assumed  to 
be  detected  separately  using  the  available  techniques  discussed  in 
[9]  and  [14].  However,  the  FDLM  sequential  mode  can  detect  sensor 
failures  and  distinguish  them  from  the  system's  failures. 

A  sensor  failure  causes  FDLM  to  provide  inconsistent  results  when 
it  is  applied  to  two  different  measurement  points.  Consider  two  single 
FDLM  tests,  shown  in  Figure  2.13.  Assume  that  one  of  the  sensors 
measuring  the  outputs  of  point  1  has  failed,  and  as  a  result,  test  1 
indicates  that  the  right  subsystem  is  defective.  To  locate  this  fallu-e, 
test  2  Is  applied,  and  assuming  that  there  are  no  sensor  failures  at 
point  2,  it  Indicates  that  the  system  Is  operating  normally.  This 
Inconsistency  between  the  results  of  point  1  and  2  implies  that  there 
Is  a  failure  In  the  sensors  of  point  1. 

Thus,  Inconsistent  results  of  FDLM  sequential  tests  Indicate 
a  sensor  failure. 
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CHAPTER  4 


MORE  COMPLEX  APPLICATIONS  OF  FDLM 
4.1  Applications  of  FDLM  to  Non-Linear  Systems 

So  far,  FDLM  applications  Included  simple,  linear  and  deterministic 
applications.  Here,  the  method  Is  extended  to  non-linear  applications  and 
It  will  be  shown  that  the  non-linear  dynamic  systems  can  be  modeled  by  a 
set  of  linear  differential  equations  If  certain  system  outputs  are  measured 
and  used  as  the  model  Inputs. 

The  mathematical  description  of  a  non-linear  system  can  be  expressed 
as: 

x  -  [A(x)]x  +  [B]u  (4.1) 

where  x  Is  an  n-dlmenslonal  vector  of  state  variables,  u  an  r-dimenslonal 
vector  of  Input  and,  [A(x)]  and  [B]  are  nxn  and  nxr  matrices,  respectively. 
This  set  of  n  non-linear  differential  equations  can  be  solved  numerically 
using  the  Trapezoid  rule,  Runge-Kutta,  or  any  other  available  method 
discussed  In  [20]. 

However,  In  order  to  obtain  a  stable  solution,  the  integration 
time-step  of  the  non-linear  differential  equations  has  to  be  signifi¬ 
cantly  reduced,  compared  to  the  linearized  one  [20].  This  may  result 
In  a  non-linear  simulation  which  cannot  be  Implemented  in  real-time. 
Therefore,  the  following  transformation,  which  enables  one  to  apply  FDLM 
to  non-linear  systems  by  solving  a  linear  set  of  differential  equations 
Is  useful . 


-62- 


Equation  (4.1)  can  be  transformed  Into 


x  *  [A']x  +  [B]u  +  [B'])r  (4.2) 

where  [A‘]  Is  an  nxn  matrix,  x^  Is  an  r*  dimensional  vector  of  measured 
system  outputs,  and  [B']  Is  an  nxr1-  matrix. 

Since  [A*]  does  not  contain  state  dependent  terms,  equation  4.2  Is 
a  linear  state-space  description,  where  the  non-linear  system  character¬ 
istics  are  Introduced  through  the  measured  outputs,  x^.  Thus,  FDLM 
computer  simulation  Is  supported  by  selected  measured  outputs  of  the 
system,  which  enables  one  to  model  the  non-linear  system  using  a  linear 
set  of  differential  equations.  This  Is  Illustrated  In  the  following  ex¬ 
ample. 

Consider  the  fifth-order  electric  network  shown  in  Figure  4.1,  where 
the  transformer  coefficient  G  is  a  non-linear  function  of  the  current, 

1^ .  G  can  be  expressed  as 

G  *  k  cos(I-j)  (4.3) 

where  k  Is  a  constant.  The  non-linear  [A]  matrix  can  be  written  as: 
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where  the  states  are  the  voltages  of  the  solenoids  ,  L2>  L3,  and 

and  the  current  of  the  capacitor  C, .  By  measuring  the  system  voltage 

1  S1 
and  current  I*  »  one  can  transform  the  non-linear  differential  equations 
S1 

Into  a  linear  set  where: 
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The  linear  and  non-linear  simulations  have  been  Implemented  and  their 
performances  are  depicted  In  Figure  4. 2-4. 4.  In  Figure  4.2  the  Inte¬ 
gration  time  step  Is  0.05  seconds.  The  third  and  the  fourth  state  vari¬ 
ables  of  the  non-linear  simulation  (s3ands^)  diverge  from  their  system  values, 
where,  in  Figure  4.3  the  simulation  Is  linear  and  for  the  same  integration  time 
step,  these  state  variables  (s^ands^)  follow  their  system  values.  Figure 
4.4  demonstrates  that  by  reducing  the  integration  time  step  to  0.005  sec. 
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Figure  4.2  The  system  and  model  state  variables  of  the  electric 

network  shown  in  Figure  4.1.  The  model  state  variables 
M3  and  M4  do  not  follow  their  corresponding  system  state 
variables  S3  and  $4.  The  integration  time  steo  is  0  05 
seconds. 
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Figure  4.3  The  system  and  model  state  variables  of  the  electric  network 
shown  in  Figure  4.1.  The  model  state  variables  follow  their 
corresponding  system  state  variables.  FDLM  linear  transform¬ 
ation  is  applied  and  the  integration  time  step  is  0.05  seconds. 
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4  The  system  and  model  state  variables  of  the  electric  network 
shown  in  Fiqure  4.1.  The  model  state  variables  follow  their 
correspondinq  system  state  variables.  The  inteqration  time 
step  is  0.005  seconds. 


the  unstable  characteristics  of  the  non-linear  simulation  are  eliminated. 

4.2  Multi -Connected  Systems 

Systems  that  their  power  flow  descriptions  contain  closed  loop  are 
multi -connected  sytems.  An  example  of  such  a  system  Is  depicted  In 
Figure  4.5.  In  Figure  4.6  FDLM  Is  applied  to  this  system  utilizing  the 
measured  outputs  of  a  single  measurement  point. 

By  using  a  single  measurement  point,  the  aggregated  model  Is  not 
fully  partitioned.  As  a  result,  the  location  capability  of  FDLM  is 
eliminated.  However,  by  utilizing  the  outputs  of  two  measurement  points 
simultaneously,  the  mul tl -connected  model  Is  partitioned  Into  two  sub¬ 
models,  as  shown  In  Figure  4.7.  By  comparing  the  outputs  of  these 
submodels  with  their  corresponding  system  variables  FDLM  is  able  to  de¬ 
tect  and  locate  failures  of  multi -connected  systems. 

4.3  Dependent  Energy  Storing  Components 

When  the  model  of  a  physical  system  contains  dependent  energy 
storing  components,  applying  FDLM  may  result  In  calculated  model  outputs 
which  are  functions  of  the  inputs'  time  derivatives.  When  the  system 
Includes  stochastic  processes  the  model  Inputs  are  fast  changing  signals 
that  cannot  be  differentiated. 

To  clarify  this  statement,  consider  the  submodel  shown  In  Figure 

4.8.  The  model  output  E„,  can  be  written  as: 

m 


RI. 


(4.7) 
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When  the  system  Involves  stochastic  processes,  the  measured  current 

I  Is  not  a  smooth  function  and  therefore  It  cannot  be  differentiated. 
S1 

As  a  result,  the  voltage  ^  cannot  be  calculated,  and  FDLM  Is  not 
applicable. 


This  problem  can  be  overcome  by  changing  the  submodel's  causality, 
which  results,  on  one  hand.  In  adding  state  variables  to  the  simulation, 
and  on  the  other  hand.  In  eliminating  the  necessity  of  calculating 
derivatives.  In  Figure  4.9  the  causality  of  the  submodel  shown  In 


Figure  4.8  Is  changed,  and  the  model  output,  I  ,  can  be  expressed  as: 


L  -  E2)dt 

V  *  i 


(4.8) 


where  Ee  Is  the  model  Input  and  E0  and  L  are  defined  In  Figure  4.9. 

S1  2 

Thus,  In  order  to  detect  failure  In  a  system  which  contains  dependent 
energy  storing  components,  the  model  causality  must  be  set  such  that  the 
model  outputs  are  not  functions  of  the  Inputs'  derivatives.  This  requle- 
ment  may  add  state  variables  to  the  existing  simulation. 

4.4  Thermofluidlc  Systems 

Consider  a  general  thermofluidlc  component,  shown  In  Figure  4.10. 

The  volume,  V,  of  this  component  Is  a  constant.  Fluid  Is  assumed  to 
flow  In  and  out  with  mass  flow  rates  F1  and  F2>  respectively.  This  com¬ 
ponent  Is  subjected  to  heat  flow  (J  and  rate  of  work  A.  It  Is  assumed 
that  the  well -stirred  tank  and  the  Ideal  gas  assumptions  are  valid. 
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Figure  4.10  A  general  thermofluidic  component.  Fluid  flows  in  and  out 
with  mass  flow  F-|  and  F2.  E. is  the  energy  and  M  is  the  mass 
of  fluid  in  the  component.  Q  and  W  are  the  heat  and  work 
rates,  respectively. 


Figure  4.11  The  input  and  output  variables  of  the  system  shown  in  Figure 
4.10.  E  and  M  are  the  system  state  variables. 
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The  mass  and  energy  conservation  laws  applied  to  this  component 
can  be  written  as: 

F1  -  F2  '  (4.9) 

Flhl  “  F2h2  +  $  "  *  (4.10) 

where  M  Is  the  mass  and  E  Is  the  Internal  energy  stored  in  the  component. 

Using  the  well  stirred  tank  assumption,  the  pressure  and  temperature  at 
the  outlet  P2  and  T2,  respectively,  can  be  related  the  pressure  and 
temperature  Inside  the  component,  P  and  T  [20].  This  can  be  written 
mathematically  as: 


dM 

dt  * 


dE 

dt 


P2  *  *p0>> 

(4.11) 

T2  -♦f(T) 

(4.12) 

where  4»p  and  are  some  known  functions, 
analysis.  It  Is  assumed  that 

Here,  to  simplify  the 

T2  -  T 

(4.13) 

P2  »  P 

(4.14) 

Modeling  the  fluid  Inside  the  component  as 

equation  can  be  written  as: 

an  Ideal  gas.  Its  state 

P  *  P  R  T 

(4.15) 
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ere  R  is  the  gas  constant.  The  internal  energy,  E,  and  the  specific 
.•nthalpy  can  be  expressed  as: 

E  «  CyMT  (4.16) 

h  -  CT  (4.17) 

P 

By  substituting  equations  (4.15)  -  (4.17)  into  equation  (4.10)  the 
energy  conservation  law  can  be  recast  as: 

-3T  ’  Wl  '  F2  <4-)  +  «  -  4  <4-18> 

where  Cp  is  the  specific  heat  at  constant  pressure.  Thus  the  two  state 
variables  of  the  general  thermofluldlc  component  are  E  and  M,  the  values 
of  which  are  obtained  by  solving  equations  (4.9)  and  (4.18).  In  order 
to  solve  these  equations,  the  following  variables  must  be  measured:  , 

F2,  Tj ,  0.  and  W.  The  calculated  model  outputs  are  P2,  and  T2>  which  can 
be  expressed  as: 

p2  '  ■y^-  E  *4-19' 

’  f  i  (4-20> 

where  V  Is  the  volume  of  the  component.  These  model  Inputs  and  outputs 
are  depicted  In  Figure  4.11. 

Another  useful  element  Is  the  choke  flow  resistor,  shown  In  Figure 
4.12.  The  flow,  F,  can  be  expressed  as: 


F  * 


sgn(P1  -  p2) 


(4.21) 


where  AP  Is  the  pressure  drop  P^  -  P2-  Utilizing  the  ideal  gas  assump¬ 
tion  equation  (4.21)  can  be  recast  as: 

F  *  -  P2*\  (4.22) 

where  T  is  the  average  temperature  and  R  is  the  gas  constant.  In  the 
case  where  P^»  P2,  the  flow  F  can  be  expressed  as: 

F  *  ~P ,  (4.23) 

/ITT  1 

Thus,  by  measuring  the  pressure,  P-j ,  and  the  average  temperature,  T,  the 
flow,  F,  can  be  calculated  using  equation  (4.23).  This  Is  depicted  in 
Figure  4.13. 
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Figure  4.14  FDLM  method  applied  to  a  simple  thermofluidic  system. 

Deviations  of  P-  from  Pm  and  T?  from  Tm  indicate  that 
the  tank  has  failed,  and  deviations  of  Fs  from  Fm  in¬ 
dicate  that  the  valve  has  failed. 
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The  following  example  demonstrates  how  the  models  of  the  general 
thermodfluldlc  system  and  the  choke  flow  resistor  can  be  used  to  detect 
and  locate  system  failures.  Consider  the  pressurized  tank,  shown  In 
Figure  4.14,  where  gas  flows  out  to  the  atmosphere  through  a  valve. 

The  pressure,  flow,  and  temperature  (P  ,  F  ,  and  T  ,  respectively) 
are  measured,  and  the  system's  model  equations  are  constructed  as 
follows: 


*  .  -F 
rs 


(4.24) 


dE_, 

dt 


(4.25) 


where  E  and  M  are  the  two  model  state  variables.  Assuming  that  P  >>  P 

S  i 

and  T$  »TaJ;,  the  mass  flow,  Fm,  can  be  calculated  as  follows: 


m 


(4.26) 


The  model  pressure  and  temperature  can  be  calcualted  using  equations 
(4.19)  and  (4.20).  This  system  model  setup  Is  depicted  In  Figure  4.14. 
By  comparing  the  measured  pressure,  flow,  and  temperature  with  their 
corresponding  model  values  system  failures  can  be  detected  and  located. 
If,  for  example,  P$  deviates  from  Pm  or  Tg  deviates  from  Tm,  the  tank 
has  failed.  On  the  other  hand  deviations  of  F$  and  Fm  Indicate  that  the 
valve  has  failed. 

Thus,  the  causal  description  of  systems  Is  utilized  by  FDLM  to 
locate  system  defective  components. 
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CHAPTER  5 


HUMAN  FACTOR  CONSIDERATIONS 

5.1  Aiding  the  Operator  Detecting  System  Failures 

FDLM  is  designed  to  aid  the  human  operator  to  detect  and  locate 
system  failures.  The  operator  decides  whether  or  not  the  system  has 
failed  based  on: 

(1)  the  size  of  the  discrepancies  between  the  system  and  model 
outputs,  and 

(2)  the  length  of  time  during  which  these  discrepancies  have 
exceeded  the  allowable  thresholds. 

To  determine  whether  criteria  1  and/or  2  are  violated,  the  time 
history  of  the  system  and  model  outputs  are  displayed  to  the  operator. 
In  most  applications  the  compared  system  and  model  outputs  are  noisy. 
This  fact  complicates  the  comparison  task,  since  It  Involves  checking 
the  expected  value  of  the  difference  between  the  system  and  the  model 
outputs  and  the  variance  of  the  system  output.  This  comparison  can  be 
expressed  mathematically  as: 

i*rrsci  *  i*s  •  *j  *  a  <5-'> 

Var(xs)  <  o*  (5.2) 

where  x$  and  xm  are  the  expected  values  of  the  system  and  model  outputs 

2 

over  time,  respectively,  A  an  allowable  threshold,  Va r(x  )  and  o  the 

w  ll 

variance  of  the  system  output  and  Its  normal  value,  respectively.  The 
expected  values  should  be  evaluated  over  a  fraction  of  the  system's 
smallest  time  constant  based  on  at  least  10-15  samples. 


One  way  to  perform  the  monitoring  task  Is  to  display  to  the  human- 
operator  the  time  history  of  the  values  of  x$  and  as  shown  in  Figure 
5-1.  The  length  of  time  viewed  In  this  display  is  At,  and  the  current 
values  of  x$  and  x]n  are  displayed  on  the  right  hand  of  the  window,  as 
shown  In  Figure  5.1.  It  Is  desired  to  set  At  to  be  three  times  the 
system  associated  time  constant,  such  that  the  system  dynamics  are 
captured  In  the  display. 

The  performance  of  the  human  operator,  monitoring  the  system  and 
model  outputs  and  using  the  display  shown  In  Figure  5.1  turns  out  to  be 
poor.  In  an  experiment  conducted  In  the  M.I.T.  Man-Machine  Systems 
Laboratory  and  discussed  In  Chapter  6  using  the  display  shown  In  Figure 
5.1  the  human  operator  had  13.75*  false  alarms  and  11.252  misses.  To 
Improve  the  operator's  performance,  various  analog  and  digital  (numerical) 
displays  were  considered.  These  displays.  Included  Raw  and  Averaged 
Variables,  Percentage  Error,  Standard  Score  and  Probability  Display. 

These  displays  are  discussed  and  evaluated  below: 

5.1.1  Raw  Variables  Display 

To  demonstrate  the  difficulties  Involved  In  the  monitoring  task 
using  the  display  shown  in  Figure  5.1,  outputs  having  different  noise 
levels  are  'hown  In  Figures  5.2  and  5.3.  In  these  displays  the  measured 
and  modelled  output  variables  are  displayed  In  their  raw  form.  The  sig¬ 
nals  of  Figure  5.2  and  5.3  are  generated  by  simulating  the  outputs  of 
point  4  of  the  system  shown  In  Figure  2.12,  and  superimposing  on  them  a 
random  signal  which  represents  the  measurements'  noise.  The  standard 
deviation  of  the  noise  in  Figures  5.2  and  5.3  Is  0.15  and  0.55,  respec¬ 
tively. 
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Figure  5.1  FDLM  system  and  model  outputs  for  a  single 
measurement  point.  The  system  output  is 
noisy.  The  left  submodel  output  is  smooth, 
whereas  the  right  submodel  output  is  noisy. 


r 
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Figure  5.2  Raw  variables  display.  The  standard  derivation 
of  the  noise  is  0.15  in  the  output  units.  In 
5.2a  the  failure  located  in  the  right  subsystem 
and  in  5.2b  in  the  left  subsystem. 
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Figure  5.3  Raw  variables  display.  The  standard  deviation  of 
the  noise  is  0.55  in  the  output  units.  In  5.3a 
the  failure  located  In  the  right  subsystem  and  in 
5.3b  in  the  left  subsystem. 


In  the  side-by-side  windows  viewed  In  Figures  5.2  and  5.3  the 


system  and  model  flows  (f$,  fm)  are  displayed  In  the  left  window, 
and  system  and  model  efforts  (e$,  em)  in  the  right.  Since  the  left 
subsystem  contains  state  variables  and  the  right  does  not,  the  left 
model  output  Is  smooth  and  the  right  Is  noisy.  Furthermore,  In  case 
of  a  failure  the  left  submodel  output  diverges  from  Its  corresponding 
system  variable  only  after  a  time  delay  of  6t  (12  sec  In  Figure  5.2b 
and  5.3b),  whereas  the  right  submodel  output  diverges  almost  Immediately 
(Figure  5.2a).  When  the  noise  level  Is  low,  the  Raw  Variables  Display 
can  be  used  for  detecting  system  failures  quite  successfully  (Figure 
5.2).  However,  with  a  high  noise  level  (Figure  5.3)  the  Raw  Variables 
display  does  not  seem  to  be  helpful.  In  the  case  where  the  submodel 
does  not  contain  state  variables,  failures  are  not  detectable,  as 
shown  In  Figure  5.3a. 

As  noted  earlier,  one  way  to  enable  the  operator  to  detect  failures 
of  noisy  systems  Is  to  smooth  the  output  variables.  A  simple  smoothing 
technique  used  In  this  work  Is  averaging  the  system  and  model  outputs, 
as  discussed  below. 

5.1.2  Averaged  Variables  Display 

By  averaging  the  raw  system  and  model  outputs  one  smooths  the 
noisy  signals.  This  enables  the  operator  to  detect  discrepancies  be¬ 
tween  the  system  and  model  outputs.  The  failure  of  Figure  5.3  is  re¬ 
simulated  and  the  corresponding  Averaged  Variables  Display  Is  shown  In 
Figure  5.4.  Averaging  the  system  and  model  outputs  has  been  suggested 
by  Shackel  [21].  The  averaging  technique  enables  one  to  detect  fail- 
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5.4  Averaged  raw  variables  display.  The  standard 
deviation  of  the  noise  is  0.55  in  the  output 
units  as  5.4a  the  failure  is  in  the  right  subsystem 
and  in  5.4b  in  the  left  subsystem. 
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ures  of  a  noisy  system,  but  the  Information  of  the  system  noise  level 
Is  lost.  To  retain  the  noise  level  Information  and  still  enable  de¬ 
tecting  system  failures  Is  proposed  to  average  the  model  outputs  only. 
This  will  result  In  a  display  where  the  system  output  Is  noisy  and  the 
model  output  Is  smooth,  as  shown  In  Figure  5.5.  In  the  experiment  dis¬ 
cussed  In  Chapter  6,  the  effects  of  the  Raw  Averaged  and  model  Averaged 
Variables  displays  were  examined. 

Instead  of  displaying  the  time  history  of  the  system  and  model 
outputs  in  their  ra'?  or  averaged  forms,  one  can  display  some  of  their 
related  functions,  which  might  help  the  opeator  In  his  monitoring  task. 
These  functions  can  be  some  statistical  measures  which  might  reduce  the 
operator's  cognitive  load  and  help  him  perform  the  comparison  task  ex¬ 
pressed  In  equations  (5.1)  and  (5.2).  The  measure  of  Percentage  Error 
Is  one  candidate  Index,  and  its  display  is  discussed  in  the  next  section. 

5.1.3  Percentage  Error  Display  (PEP) 

The  Percentage  Error  Is  defined  as  the  difference  between  the 
averaged  system  (x$)  and  model  (xm)  outputs  divided  by  i.e., 

xc  -  x_ 

PE  -  — ^ - - -  (5.3) 

*m 

Equation  (5.3)  and  the  comparison  test  of  equation  (5.1)  are  directly 
related.  The  threshold  A  (equation  5.1)  can  be  expressed  as:  | P E * xm J  <  A . 

Thus,  Percentage  Error  Display  seems  to  be  helpful  In  applying 
the  test  of  equation  (5.1).  However,  It  eliminates  the  possibility  of 
checking  the  noise  level  of  the  system  outputs.  Furthermore,  PED  does 
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Figure  5.5  Raw  system  and  averaged  model  outputs  display 


not  show  the  values  of  the  system  and  model  variables.  Therefore  it  is 
coupled  with  the  Raw  Variables  Display  as  shown  in  Figures  5.6  and  5.7. 

The  standard  deviation  of  the  noise  in  Figures  5.6  and  5.7  is  0.15  and 
0.55,  respectively. 

The  Percentage  Error  is  a  measure  that  helps  the  operator  to  moni¬ 
tor  the  differences  between  the  expected  values  of  the  model  and  system 
outputs  but  It  does  not  consider  the  system  noise  level.  A  measure  that 
takes  into  account  the  difference  between  x$  and  5^,  as  well  as  the  system 
noise  level  is  the  Standard  Score  Display. 

5.1.4  Standard  Score  Display  (SSD) 

The  Standard  Score,  Z,  Is  defined  as  the  difference  between  the 
averaged  system  and  model  outputs  divided  by  the  value  of  the  standard 
deviation  of  their  difference  Z  can  be  expressed  mathematically  as: 


Z 


x.  -  x_ 
s  m 


(5.4) 


where  n  is  the  size  of  the  samples,  the  averages  (x$  and  5^)  of  which 
are  calculated,  and  a  d/VrF  is  the  standard  deviation  of  the  difference 
x$  -  Xjjj,  during  the  system  normal  operation  mode,  can  be  expressed 
as: 


2  2 
+  a„  -  2 or 


m 


xs*m 


(5.5) 


where  a  and  a  are  the  standard  deviations  of  the  system  and  model 
xs  m 


outputs,  respectively,  and  a  y  Is  the  covariance  of  the  system  and 

xs  m 


model  outputs,  Is  measured  for  the  normal  operation  of  the  system 
off  line.  This  value  is  used  to  calculate  the  Z  score  value  in  real-time. 
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Figure  5.6  Percentage  error  and  raw  variables  display.  The  standard 
deviation  of  the  noise  is  0.15  in  the  output  units.  In 
5.6a  the  failure  Is  in  the  right  subsystem  and  in  5.6b 
is  in  the  left  subsystem. 
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Figure  5.7  Percentage  error  coupled  with  the  raw  variables 
display.  The  standard  deviation  of  the  noise  is 
0.55  in  the  output  units.  In  5.7a  the  failure  is 
In  the  right  subsystem  and  in  5.7b  is  in  the  left 
subsystem. 
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Similar  to  PED  the  Standard  Score  Display  does  not  show  the  values 
of  the  system  and  model  outputs.  Therefore,  SSD  was  coupled  with  the 
Raw  Variables  Display,  as  shown  in  Figure  5.8  -  5.10.  The  standard 
deviation  of  the  noise  in  Figure  5.8  -  5.10  Is  0.15,  0.55  and  1.0, 
respectively,  and  the  thick  lines  in  these  graphs  indicate  that  the  Z 
score  value  is  beyond  the  display  scale. 

The  Z  score  Is  a  function  of  the  sampled  values  of  x$  and  xm,  the 
sample  size,  n,  and  the  noise  level  of  the  system  normal  operation  mode. 
The  Z  values  for  the  simulations  shown  in  Figures  5.8  -  5.10  are  sum¬ 
marized  in  Table  5.1 . 

Thus,  the  Z  score  is  sensitive  to  the  noise  level  of  the  normal 
operation  mode  of  the  system,  but  it  is  not  directly  related  to  the  cur¬ 
rent  system  noise  level.  As  a  result,  this  measure  does  not  help  the 
operator  perform  the  variance  comparison -test  described  In  equation  (5.2). 

Another  measure  appearing  useful  and  of  help  to  the  operator  per¬ 
forming  the  comparison  test  described  by  equations  (5.1)  and  (5.2)  Is  the 
probability  measure.  This  measure  has  been  suggested  by  Moray  [23].  In 
order  to  estimate  the  probability  that  the  system  has  failed,  a  statis¬ 
tical  model  has  been  incorporated  into  FDLM.  This  model  is  discussed  in 
Section  5.2  and  a  description  of  the  Probabilities  Display  follows. 


TABLE  5.1:  Z  VALUES  FOR  DIFFERENT  NOISE  LEVELS 
OF  SYSTEM  MEASURED  OUTPUTS 


NOISE  LEVEL 

Z  VALUES  OF 
UNFAILED  SYSTEM 

Z  VALUES  OF 
FAILED  SYSTEM 

SAMPLE  SIZE 

a  •  0.15 

|Z|  <  2.0 

|Z|  > 

5.0 

20 

a  *  0.55 

|Z[  <  1.8 

m  > 

3.0 

20 

<3  »  1.0 

|Z|  <  1.5 

|z|  > 

2.0 

20 
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Figure  5.10  Standard  score  and  raw  variables  display. 

The  standard  deviation  of  the  noise  is  1.0 
In  the  output  units.  In  5.10a  the  failure 
is  in  the  right  subsystem  and  in  5.10b  is  in 
the  left  subsystem. 


5.1.5  Probabilities  Display 

By  using  the  Bayesian  Statistical  model  discussed  In  Section  5.2.2 
one  can  calculate  the  probability  that  the  system  has  failed*  based  on: 

1.  A  sampled  difference  between  the  system  and  model  outputs, 

-  I  -  I  -I 

2d  "  xs  "  * 

2.  An  allowable  difference  threshold.  A,  of  xd 

3.  The  standard  deviation  of  the  sampled  difference  In  normal 
operation  mode. 

This  probability  Is  denoted  as  P  (Failure  |xd). 

A  measure  that  might  be  useful  In  drawing  the  operator's  attention 
to  a  possible  system  failure  Is  the  ratio  of  probabilities  of  failure 
to  no-fallure,  or,  as  It  Is  called  In  the  Bayesian  theory,  the  odds 
ratio,  ft.  ft  can  be  expressed  mathematically  as: 

p(Fa11ure  |xL) 

ft  - — -  (5.6) 

P(No  Failure  |xd) 

The  odds  ratio  seems  to  be  a  useful  measure  because  It  Is  a  comparative 
measure  that  people  apply  when  the  probabilities  of  two  events  are  es¬ 
timated  [22].  In  Figure  5.11  It  Is  shown  that  the  values  of  p(Fa11ure 
\xd}  lie  between  0  to  1,  whereas  the  corresponding  odds  ratio  varies 
from  0  to  ».  By  setting  a  critical  odds  ratio  value,  ftc,  and  calcu¬ 
lating  the  current  odds  values,  ft  In  real-time  an  Indication  of  system 
failure  Is  generated.  The  system  Is  suspected  to  be  failed  when  ft  ex¬ 
ceeds  ft  .  Therefore,  It  Is  proposed  to  display  the  current  ft  values. 

In  addition,  the  time  It  exceeds  ftc  Is  displayed  as  well.  Because  of 
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Figure  5.11  The  odds  ratio,  n  versus  the  probability  of  a 
system  failure,  -  p[failure]. 


system  dynamics  and  noise  effects  ft  might  exceed  ftc  for  a  short  period 
of  time.  This,  however,  should  not  be  considered  to  be  a  system  failure. 
Thus  the  combination  of  the  ft  value  and  the  time  It  exceeds  ftc  Indicates 
whether  or  not  a  system  failure  exists. 

The  Probabilities  Display  coupled  with  the  Model  Averaged  Variables 
Is  shown  In  Figures  5.12  -  5.15.  In  this  simulation  ftc  was  set  to  be 
unity. 

In  these  figures  the  odds  ratios  are  displayed  In  a  digital  (numer- 
leal)  form,  and  the  system  and  model  outputs  In  an  analog  form.  This 
display  Is  useful  In  determining  the  expected  values  (equation  5.1) 
as  well  as  making  the  variances  comparison  tests  (equation  5.2).  In 
the  case  where  a  failure  results  in  Increasing  the  system  noise  level 
only  the  calculated  odds  ratio,  ft,  will  swing  frequently  below  and  above 
the  critical  odds  value,  flc.  In  this  case  It  might  be  useful  to  dis¬ 
play  the  time  history  of  the  odds  values.  It  Is  the  capability  to 
compare  the  expected  values  and  the  variances  (equations  5.1  and  5.2) 
which  makes  the  Probabilities  Display  very  promising. 

5.2  Incorporating  a  Statistical  Model  within  FDLM 

In  Chapter  5.1.5  It  has  been  shown  that  calculating  and  displaying 
the  probability  of  a  failure  might  help  the  operator  perform  the  moni¬ 
toring  task.  To  calculate  these  probabilities,  a  statistical  model  has 
to  be  Incorporated  Into  FDLM.  To  construct  this  model  It  is  assumed 
that  x$  and  x|n  are  the  outputs  of  the  system  and  the  model ,  respec¬ 
tively.  The  standard  deviation  of  the  difference,  x$  -  x[n,  for  the 

system's  normal  operation  mode  can  be  estimated.  For  a  sample  of  n 
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Figure  5.12  Raw  system  averaged  model  outputs  display  and 
the  odd  calculated  by  a  Bayesian  statistical 
model.  The  system  Is  under  normal  conditions 
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.13  Raw  system  averaged  model  outputs  display  and  the  odds 
calculated  by  a  Bayesian  statistical  model.  There  Is  a 
failure  In  the  right  subsystem. 
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Figure  5.14  Raw  system  averaged  model  outputs  display  and  the 
odds  calculated  by  a  Bayesian  statistical  model. 
There  Is  a  failure  In  the  left  subsystem. 
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Fiqure  5.15  Raw  system  averaged  model  outputs  display  and  the  odds 
y  calculated  by  a  Bayesian  statistical  model.  There  is 

a  multiple  failure  in  the  left  and  the  rioht  subsystems 


observations  from  equation  (5.1)  the  expected  value  of  the  sampled  dif¬ 
ference  between  the  system  and  model  outputs  Is  x^  and  Its  standard 
deviation  Is  a^yVn. 


If  the  sample  size*  n,  Is  chosen  to  be  large  enough,  the  probability 
density  function  of  x^  can  be  approximated  as  a  Gaussian  distribution. 
This  Is  a  result  of  the  Central  Limit  Theorem  [23].  The  Gaussian 
assumption  Is  valid  If  the  n  sampled  system  and  model  outputs  are  Inde¬ 
pendent,  Identically  distributed  random  variables  with  a  finite  expected 
value  and  a  finite  variance.  This  Is  regardless  of  the  form  of  the 
probability  density  function  of  the  Individual  x$  and  xm  variables. 

In  practical  applications  the  probability  density  function  of  x^  calcu¬ 
lated  by  15  observations  can  be  assumed  to  be  Gaussian.  There  are  two 
mutually  exclusive,  collectively  exhaustive  hypotheses  one  has  to  con¬ 
sider. 

Null  Hypothesis  Hq:  x^  »  xQ  no  failure  exists 

Alternative  Hypothesis  H^  x^  >  | xQ|  failure  exists 

where  xQ  In  this  application  Is  zero  If  no  prior  lies  between  system  and 
model  Is  assumed.  Two  basic  statistical  models  can  be  constructed  to 
test  the  Hq  and  H^  hypotheses.  These  two  models  are  discussed  as 
follows. 

5.2.1  Classical  Hypothesis  Testing 

Using  the  Classical  Hypothesis  Testing  one  can  calculate  the 
rarity  of  the  obtained  sampled  difference,  assuming  that  the  null 
hypothesis,  H  ,  Is  true. 


The  assumption  that  HQ  Is  true  implies  that  the  probability 
density  function  is  centered  on  the  xQ  value,  as  shown  In  Figure  5.16. 
The  probability  that  the  difference  xd  exceeds  the  absolute  sampled 
value,  xd,  Is  represented  by  the  crossed  area  shown  In  Figure  5.16. 

If  xd  Is  far  enough  out  In  either  tail  meaning  p(xd  >  |xd||HQ)  Is  low 
(less  than  0.05  by  convention),  the  null  hypothesis,  HQ,  Is  rejected, 
which  Implies  that  the  alternative  hypothesis,  ,  Is  accepted. 

Classical  Hypothesis  Testing  does  not  evaluate  the  alternative 
hypothesis  directly.  H-j  Is  either  accepted  or  rejected  based  on 
testing  the  HQ  hypothesis.  The  difficulty  to  test  directly  results 
from  the  fact  that  the  value  of  the  population  mean  of  the  difference, 
xd*  cannot  be  specified  when  H-j  Is  assumed  to  be  true.  In  this  case 
xd  can  get  a  range  of  values.  This  Is  In  contrast  to  the  HQ  assumption 
that  sets  xd  to  be  a  single  value,  xQ.  The  difficulty  to  apply  the 
Classical  approach  to  test  the  hypothesis  that  the  system  has  failed, 
has  been  recognized  by  Gal  and  Curry  [24]  who  suggested  ways  to  over¬ 
come  It. 

5.2.2  Bayesian  Approach 

Using  the  Bayesian  statist.  .  1  model  one  can  calculate  the 
probability  that  the  system  has  failed  based  on  a  sampled  averaged 
difference,  xd*  This  Probability  is  denoted  as  p(Fa11ure|xd) .  The 
probability  density  function  of  xd  In  this  model  is  centered  on  the 
sampled  xd  value  as  shown  In  Figure  5.17.  By  setting  an  allowable 
difference  between  the  system  and  the  model  outputs,  the  p(Fa11ure|xd) 


can  be  calculated.  This  probability  is  represented  as  the  crossed 


Figure  5.16  The  classical  hypothesis  testing  centers  the 
probability  density  function  on  zero._  The 
crossed  area  is  the  probability  that  xd  exceeds 
the  absolute  obtained  value,  | x j | . 


area  In  Figure  5.17. 

When  the  system  falls,  the  observed  value  deviates  from  the  xQ 
value  and  the  calculated  probability  that  the  system  has  failed  Is 
Increased.  This  Is  shown  In  Figure  5.18. 

The  ratio  of  the  probability  that  the  system  has  failed  to  the 
probability  that  the  system  has  not  failed  Is  the  odds  ratio,  ft.  ft  can 
be  expressed  mathematically  as: 

P(Fa11ure|Xj)  P(HJxi) 

ft  «  - - - « - 2—  (5.7) 

P(No  Failure | x^)  P(H0|x^) 

The  advantages  of  displaying  the  odds  ratio  to  the  operator  are  dis¬ 
cussed  In  Section  5.1.5.  The  odds  ratio  can  be  calculated  based  on  one 
or  more  samples  of  n  system  and  model  outputs.  For  the  case  of  two 
samples  of  size  n  the  expected  value  of  the  difference  can  be  expressed 
as: 

xd  ’  -T  ih  (xs,  ’  xm^  +  <5'8> 

and  the  standard  deviation  of  this  xd  value  Is  ad//2 n.  Combining  the 
Information  of  two  samples  of  size  n  Is  described  graphically  In  Figure 
5.19.  Tzelgov  [25]  has  shown  how  this  property  can  be  used  to  combine 
the  operator's  subjective  belief  In  calculating  the  probability  of  a 
system  failure. 

In  applying  the  Bayesian  statistical  model,  accumulating  sampled 
Information  might  cause  midleading  results.  Consider  the  case  where  a 
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Figure  5.17  The  Bayesian  model  centers  the  probability  density 
function  on  x|j.  The  crossed  area  Is  the  probability 
that  the  system  has  failed. 
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Figure  5.18  The  Bayesian  model  centers  the  probability  density 
function  on  x<j*  The  crossed  area  is  the  probability 
that  the  system  has  failed. 
p(failure)  is  increased  when  xd  increases. 
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Figure  5.19  The  Bayesian  model  Is  able  to  accumulate  Information. 

The  probability  calculation  is  changed  by  accumulating 
the  Information  of  two  samples  of  size  n. 


system  failure  occurs  after  a  long  time  of  normal  operation.  By 
accumulating  the  non-failure  Information,  the  calculated  odds  ratio 
and  the  standard  deviation  are  both  small  numbers,  reflecting  the 
certainty  that  the  model  gained  by  having  the  system  operating  normally. 
As  a  result.  It  will  be  long  before  the  "belief"  that  the  system  has  not 
failed  Is  overcome,  and  the  statistical  model  will  Indicate  that  the 
system  has  failed  only  long  after  It  has  occurred.  Therefore,  non- 
failure  Information  Is  not  accumulated.  On  the  other  hand.  Infor¬ 
mation  which  Indicates  that  the  system  has  failed  Is  accumulated.  This 
structure  of  not  accumulating  non-failure,  and  accumulating  the  failure 
Information,  results  In  minimizing  the  chances  that  a  failure  will  not 
be  detected  shortly  after  It  has  occurred. 

5.3  Computer/Human-Operator  Interaction  In  Applying  FDLM 

FDLM  Is  Intended  to  run  continuously  during  the  system  operation, 
waiting  for  significant  discrepancies  between  actual  systems  and  model 
outputs.  The  task  of  monitoring  the  system  and  model  outputs.  If 
performed  by  a  human  operator.  Is  boring  and  has  high  cognitive  load. 

For  these  reasons  the  routine  monitoring  task  should  be  performed  by 
a  human  operator.  Is  boring  and  has  high  cognitive  load.  For  these 
reasons  the  routine  monitoring  task  should  be  performed  by  computer. 

The  computer  would  examine  all  available  system  measurement  points 
simultaneously,  as  shown  In  Figure  2.12.  According  to  this  examination 
the  computer.  If  necessary,  will  alert  the  operator  and  locate  the 
defective  subsystems.  When  the  operator  Is  alerted  his  task  then  Is 
to  confirm  the  evidence  of  a  system  failure  and  to  Identify  the  failed 
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components  of  the  defective  subsystems.  These  components  can  be 
Identified  either  by  using  the  operator's  knowledge  and  experience, 
or  by  applying  simple  fault/event  tree  analysis  to  the  suspected 
defective  subsystems.  By  Identifying  the  defective  subsystems,  the 
required  fault/event  trees  are  drastically  simplified.  Therefore  the 
contlnatlon  of  FDLM  and  the  fault/event  tree  analysis  seems  to  be  very 
promising. 

A  suggested  FDLM  computer/human  operator  Interface  Is  shown  In 
Figure  5.20.  In  this  Interface  a  schematic  description  of  the  system 
Is  displayed  together  with  the  odds  ratio,  calculated  by  the  computer. 
When  the  odds  ratio  of  a  particular  point  exceeds  the  critical  value, 
ft-c,  the  operator  Is  alerted,  and  his  task  then  Is  to  confirm  the  evi¬ 
dence  of  a  failure  by  checking  the  corresponding  system  and  model  out¬ 
puts  viewed  on  a  separate  CRT  display. 

Five  different  displays  were  described  and  evaluated  earlier  In 
this  Chapter.  To  determine  the  most  powerful  display,  an  experiment 
was  conducted  In  the  M.I.T.  Man-Machine  Systems  Laboratory.  In  this 
experiment  eight  subjects  were  asked  to  monitor  the  system  and  model 
outputs  In  real  time  and  to  detect  possible  system  failures.  The 
experiment  and  Its  results  are  discussed  more  fully  In  Chapter  6. 


Figure  5.20  Proposed  FDLM  computer/human  operator  Interface.  A  schematlcal  description 
as  well  as  the  system  and  model  outputs  are  displayed  to  the  operator. 


CHAPTER  6 

EXPERIMENTAL  DETERMINATION  OF  AN  OPTIMAL  DISPLAY 


6.1  Experimental  Goals 

The  display  Interface  between  FDLM  and  the  human  operator  can  be 
constructed  In  various  ways.  Five  different  displays  were  discussed  In 
Section  5.1.  The  most  useful  displays  should  enable  the  operator  to  de¬ 
tect  system  failures  shortly  after  they  have  occurred,  and  to  minimize 
the  two  possible  errors  of  false  alarms  and  misses.  For  this  reason, 
the  five  displays  were  compared  experimentally. 

Informal  observations  have  Indicated  that  the  probabilities  combined 
with  the  averaged  or  raw  variables  display  results  In  short  failure  de¬ 
tection  time  and  low  miss  and  false  alarms  rates.  The  failure  detection, 
referred  to  also  as  the  subject's  reaction  time,  was  measured  from  the 
time  a  system  failure  has  been  Introduced  to  the  time  the  subject  has 
detected  It. 

The  performance  of  the  human  operator,  monitoring  real-time  system 
and  model  outputs  and  using  the  Probabilities  Display,  was  determined 
experimentally.  The  experiment  was  conducted  In  the  Man-Machine  Systems 
Laboratory  In  M.I.T.  The  goals  of  the  experiment  were  to  determine  how 
the  performance  of  the  human  operator  Is  affected  by: 

1.  Including/not  Including  state  variables  In  the  referenced  sub¬ 
models. 

2.  Displaying  raw  noisy/averaged  system  and  model  outputs. 

3.  Displaying  different  digital  (numerical)  calculated  measures 
In  addition  to  the  analog  signals  of  the  system  and  model 
outputs. 
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To  meet  these  goals  the  experiment  was  designed  as  follows. 


6.2  Experimental  Design 

To  explore  the  effects  of  Including/not  Including  state  variables 
In  the  referenced  submodels  the  experiment  was  performed  In  two  sessions. 
In  one  session  the  referenced  submodel  contained  state  variables,  and  In 
the  other  session  It  did  not.  There  were  240  experimental  trials  In  each 
session.  The  types  of  analog  output  and  digital  displayed  Information  In 
these  trials  are  summarized  In  Table  6.1.  There  were  20  experimental 
trials  for  each  combination  of  digital  and  analog  Information. 


TABLE  6.1:  THE  COMBINATIONS  OF  ANALOG  AND  DIGITAL  DISPLAYED 
INFORMATION  EACH  HAVING  20  EXPERIMENTAL  TRAILS 


— ^^Illgltal 

Anal  oo 

No  digital 
Information 

odds  ratio 
a 

the  time  n 
exceeds  1,  t^ 

Q»tn 

Raw  system  & 
model  outputs 

20 

20 

20 

20 

Raw  system  & 
smooth  model 
outputs 

20 

20 

20 

20 

Smooth  system  & 
model  outputs 

20 

| 

20 

20 

1 

- 1 

20 

The  effects  of  displaying  noisy/smooth  system  and  model  outputs  were 
explored  by  changing  the  type  of  the  analog  Information.  The  analog  out¬ 
puts  were  generated  In  three  forms: 

1.  Raw  system  and  model  outputs. 

2.  Raw  system  and  smooth  model  outputs. 

3.  Smooth  system  and  model  outputs. 
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These  three  types  of  outputs  are  shown  In  Figure  6.1  and  6.2  for 
the  state  variable  and  non-state  variable  cases,  respectively.  Although 
the  displays  of  raw  system  and  model  outputs  and  raw  system  and  smooth 
model  outputs  in  the  state  variable  case  are  similar,  these  two  types  of 
analog  outputs  were  Included  In  the  experiment  to  balance  the  non-state 
variable  case. 

The  effects  of  displaying  different  digital  (numerical)  measures 
were  determined  by  combining  the  described  analog  outputs  with  the 
following  digital  forms: 

1.  No  digital  Information  displayed. 

2.  The  odds  ratio,  fl.  Is  displayed. 

3.  The  time  fl  exceeds  1  Is  displayed,  t^. 

4.  The  odds  ratio,  n,  and  the  time  It  exceeds  1,  t^,  are  displayed. 

These  four  types  of  digital  Information  combined  with  the  raw 
variables  display  are  shown  In  Figure  6.3.  Eight  subjects  participated 
In  this  experiment.  The  subjects  were  Mechanical  Engineering  students 
who  had  some  background  In  control  and  modeling.  The  experiment  was  per¬ 
formed  In  two  sessions  consisting  of  240  experimental  trials  each.  The 
reliability  of  the  simulated  system  was  assumed  to  be  0.5.  That  Is, 

In  50%  of  the  experimental  trials  (for  each  analog  and  digital  combin¬ 
ation),  a  system  failure  was  Introduced  early  In  the  trial,  by  changing 
one  of  the  system  parameters  stepwise.  The  failure  occurrences  were 
randomly  ordered.  Each  trial  lasted  35  seconds,  unless  It  was  Inter¬ 
rupted  by  the  subject  detecting  a  failure. 
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Figure  6.1  Raw  system  and  model  outputs  in  6.1a,  raw  system  and 
averaged  model  outputs  in  6.1b,  and  averaged  system 
and  model  outputs  in  6.1c.  The  submodels  generating 
these  outputs  include  state  variables. 
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Figure  6.2  Raw  system  and  model  outputs  in  6.2a,  raw  system  and 
averaged  model  outputs  in  6.2b,  and  averaged  system 
and  model  outputs  in  6.2c.  The  submodels  generating 
these  outouts  do  not  Include  state  variables. 


There  were  four  Independent  variables  associated  with  this  experiment 

A.  State- variable- Included  In  model  no-state-variable-included. 

This  Is  an  wlthln-subjects  variable,  where  A1  Is  the  case 
where  the  compared  model  output  Is  generated  by  a  submodel 
which  contains  a  state  variable,  and  A2  Is  the  case  where 
the  submodel  does  not  contain  a  state  variable.  To  balance 
this  effect,  a  session  order  variable  was  introduced. 

B.  Sessions  order.  This  Is  a  between-subjects  variable  where,  B1 
Is  starting  with  the  state- variables  session  and  proceeding 
with  the  no-state-varlable-sesslon,  and  B2  Is  starting  with  the 
no-state-variable  session  and  proceeding  with  the  state-vari¬ 
able  one.  This  variable  was  balanced  by  assigning  B1  to  the 
first  four  subjects,  and  B2  to  the  second  four. 

C.  The  type  of  analog  outputs. 

Cl  *  Raw  system  and  model  outputs. 

C2  *  Raw  system  smooth  model  outputs. 

C3  ■  Smooth  system  and  model  outputs. 

0.  The  type  of  the  displayed  digital  measure. 

D1  *  No  digital  Information  is  displayed. 

02  «  The  odds  ratio,  n,  is  displayed. 

03  *  The  time,  t^  ,  the  odds  exceeds  1  Is  displayed. 

D4  »  The  odds  ratio,  0,  and  the  time  tn.  It  exceeds  1  are 
displayed.  w 

Each  experimental  session  contained  four  blocks,  standing  for  the 
four  digital  Information  displays  01  -  04.  The  type  of  the  analog 
outputs  changed  within  each  block  In  a  random  order,  where  the  digital 
Information  was  balanced  using  the  latln  square  technique  discussed  in 
[26]. 
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Both  C  and  0  are  within  subjects-varlables. 

6.3  Experimental  Method 

The  subjects  participating  In  this  experiment  were  asked  to  monitor 
In  real-time  the  system  and  model  outputs.  The  simulated  system  Is 
described  In  the  experimental  Instructions  In  Appendix  A.  The  subject's 
task  was  to  use  all  the  available  Information  displayed  on  the  CRT  screen 
to  decide  whether  the  system  In  any  particular  trial  was  or  was  not  de¬ 
fective.  The  system  time  constant  as  well  as  the  threshold  size  were 
specified  to  the  subjects.  There  were  two  control  buttons: 

1 .  Start 

2.  Alarm 

Each  trial  was  Initiated  by  pressing  the  Start  button.  The  alarm  was  to 
be  pressed  when  a  system  failure  was  detected.  The  subjects  were  told 
that  their  reaction  time  and  accuracy  were  of  equal  Imprtance.  Therefore, 
immediately  after  they  were  certain  that  the  system  had  failed,  they 
pushed  the  Alarm  button. 

In  order  to  establish  a  certain  level  of  familiarity  with  the  simu¬ 
lation,  the  subjects  had  practice  trials  In  which  they  were  notified 
whether  or  not  they  made  the  right  decision. 

6.4  Experimental  Results 

The  effects  of  the  expelmental  variables  described  In  Section  6.3 
can  be  explored  by  analyzing  the  experiment  In  the  light  of: 


1.  The  accuracy  of  the  subjects  decisions. 

2.  The  subject's  reaction  times  for  detecting  system  failures. 


The  results  of  this  analysis  suggest  the  "best"  digital /analog 
display  combi  nation  by  which  fast  and  accurate  system  failure  detec¬ 
tions  are  obtained. 

6.4.1  Accuracy  Analysis 

The  percentages  of  false  alarms  and  misses  are  summarized  In  Tables 
6.1  and  6.2  for  the  state-variable  and  no-state-varlable-cases,  respec¬ 
tively.  These  values  are  based  on  160  observations  for  each  combination 
of  analog  and  digital  displayed  Information. 

In  the  no-state- variable  case  (Table  6.2)  the  percentage  of  false 
alarms  and  misses  was  reduced  from  13.75  and  11.25  to  zero  either  by 
displaying  smooth  analog  outputs*  or  by  adding  digital  Information. 

In  the  state- variable  case  (Table  6.3)  these  percentage  values  do  not 
exceed  2.5%.  This  reflects  the  fact  that  the  model  outputs  In  this  case 
are  smooth  In  their  raw  form,  which  makes  the  detection  task  easier. 

6.4.2  Analysis  of  the  Subjects*  Reaction  Times 

The  average  reaction  times  of  the  subjects  are  summarized  In  Tables 
6.4  and  6.5  for  the  state- variable  and  no-state-variable  cases, 
respectively.  These  data  have  been  subjected  to  a  four-way  analysis 
of  variance.  The  results  of  this  analysis  are: 

1.  The  displayed  digital  Information  causes  the  reaction  times 
to  change  significantly.  Applying  the  F  test  results  in  an 
F(2,  18)  of  5.02  which  Is  significant  for  probability  P<0.02. 
The  averaged  reaction  times  for  the  different  digital  displays 
are  shown  In  Figure  6.4.  The  Newman-Keuls  test  (27]  indicates 
Insignificant  differences  between  the  reaction  times  for 
displaying  no  digital  Information  versus  displaying  the  time 
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TABLE  6.4:  SUBJECTS'  AVERAGE  REACTION  TIMES  FOR  THE 
STATE-VARIABLE  CASE.  TIME  IN  SECONDS 


J  1 
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\k 

Digital 

Analog 

No  digital 
Information 

a 

*8 

nstn 

1  - 

Raw  system  & 
model  outputs 

17.12 

17.90 

16.30 

16.15 

\i: 

Raw  system  & 
smooth  model 
outputs 

17.72 

17.90 

16.77 

16.77 

Smooth  system  & 
model  outputs 

17.10 

16.8 

17.17 

16.02 

i  n 
« 

TABLE  6.5:  SUBJECTS'  AVERAGE  REACTION  TIME  FOR  THE 

NO-STATE  VARIABLE  CASE.  TIME  IN  SECONDS. 
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11.35 

9.22 

9.35 

8.70 

Smooth  system  & 
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6.97 
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over  which  ft  exceeds  1,  t^.  Furthermore,  the  reaction  time 
differences  between  displaying  ft  and  ft  plus  t^  are  not 
significant,  as  well.  However,  displaying  either  ft  or  the 
combination  of  ft  and  tft  Is  better  than  displaying  t^  alone 
or  not  displaying  digital  Information  at  all.  This  Is  true 
for  both  state- variable  and  no-state-variable  cases. 

2.  Changing  the  type  of  the  analog  outputs  results  In  significant 
differences  of  the  reaction  times.  The  analog  outputs  variable 
turns  out  to  have  Interactions  with  the  state-varlable/no- 
state-variable.  To  analyze  this  relation  the  Newman-Keuls 
test  was  applied  and  the  results  are  summarized  In  Table  6.6. 
The  A1-A2  and  C1-C3  variables  are  defined  In  Section  6.2. 


TABLE  6.6:  THE  INTERACTION  BETWEEN  THE  DIFFERENT  ANALOG 
OUTPUTS  AND  THE  STATE  VARIABLE/NO-STATE 
VARIABLE  CASES 


Cl  vs  C2 

Cl  vs  C3 

C2  vs  C3 

A1 

no  significant 

not 

not 

significant 

significant 

A2 

not 

slgnifl  cant 

significant 

significant 

P  .  <  0.01 

P  <  0.01 

These  Indicate  that  In  the  case  of  a  state- variable- Included  in 
the  model,  reaction  times  are  not  affected  significantly  changing  the 
analog  outputs  display.  However,  In  the  no-state-variable  case  they  are 
affected  significantly  by  changing  the  analog  display.  The  reaction 
times  for  the  state-variable  and  no-state-variable  cases,  as  a  function 
of  the  types  of  the  analog  outputs,  are  shown  in  Figure  6.5.  The  best 
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Figure  6.5  The  operators'  reaction  times,  versus  the 
different  analog  outputs  for  state  and 
no-state  variables  cases. 
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results  are  obtained  using  the  smooth  system  and  model  outputs,  where 
the  raw  and  smooth  model  outputs  (Cl  and  C2)  do  not  differ  significantly 
In  their  effects  on  reaction  time. 


6.5  Sunmary  and  Conclusions 

The  experimental  results  described  In  Sections  6.4.1  and  6.4.2  show 

that: 

1.  The  failure  detection  task  Is  easier  when  the  calculated  model 
output  Is  generated  by  a  submodel  which  contains  state- 
variables.  In  this  case,  the  rates  of  false  alarm  and  miss 
are  low,  regardless  of  the  type  of  analog  output  and  digital 
Information  displayed.  For  this  case,  however,  failure  causes 
the  model -associated  output  to  deviate  from  Its  system  value 
only  after  a  time  delay  as  discussed  In  Section  5.2.1. 

2.  Displaying  additional  digital  information  Improves  the  op¬ 
erator's  performance.  In  particular,  the  odds  ratio,  n, 
and  the  odds  combined  with  the  time  It  exceeds  flc,  t^,  give 
the  best  results. 

3.  Displaying  the  smooth  model  and  system  output  results  in  the 
best  operator  performance.  In  the  no-state-variable  case,  the 
operator's  reaction  time  is  decreased  significantly.  Since 
the  smooth  system  and  model  outputs  display  eliminates  Impor¬ 
tant  system  noise  level  Information,  the  raw  system  and 
smoothed  model  output  display  Is  preferred.  This  Is  used  In 
the  Ship's  Engine  simulation  described  In  Chapter  7. 


CHAPTER  7 


SHIP'S  ENGINE  SIMULATION 

7.1  A  Description  of  the  Ship's  Engine  Simulation 

In  the  following  example,  FDLM  is  applied  to  part  of  a  ship's  en¬ 
gine.  The  engine's  simulation  includes  a  gas  turbine,  which  rotates  a 
three  phase  ac  generator.  The  generator  produces  electric  power,  which 
forces  the  ac  motor  to  spin  the  ship's  propeller.  This  system  is  de¬ 
picted  in  Figure  7.1,  and  its  model  is  shown  in  Figure  7.2.  It  is  as¬ 
sured  that  the  power  variables  can  be  measured  at  four  different  loca¬ 
tions  in  the  system  (points  1-4  in  Figure  7.2). 

The  input  variables  of  the  simulation  are  the  pressure  and  the 
temperature  of  the  gas  at  the  turbine's  inlet.  The  turbine  Is  simu¬ 
lated  as  a  transformer,  as  constructed  by  Markunas  In  [28].  The  three 
phase  ac  motor  and  generator  are  simulated  using  Paynter's  models  dis¬ 
cussed  in  [29]  and  [30]. 

The  model  of  the  ship's  engine  has  been  implemented  on  the  PDP11 
computer  system  of  the  Man-Machine  Systems  Laboratory  in  M.I.T.  To 
Interface  FDLM  with  the  human  operator,  a  schematical  description 
of  the  engine  is  displayed  on  the  Lexi data's  screen,  as  shown 
in  Figure  7.3.  The  four  available  measurement  points  and  their 
correspondence  calculated  probability  ratios  are  displayed,  as  well. 
When  one  of  the  calculated  probability  ratios  exceeds  its  critical 
value  (1  in  our  case),  the  time  in  seconds  during  which  it  has  happened 
is  displayed  below  the  over-critical  probability  ratio  value. 
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Figure  7.3  Schematical  description  of  the  ship's  engine. 

The  four  measurement  points  and  the  calculated 
probability  ratios  are  displayed.  When  n  ex¬ 
ceeds  1,  the  time  during  which  it  has  happened 
is  displayed  as  well . 


By  touching  the  Lexidata's  touch  sensitive  panel,  the  operator  con¬ 
trols  which  of  the  measurement  points  are  utilized  by  FDLM.  The  system 
and  model  outputs  of  the  activated  measurement  points  are  displayed  as 
two  side  by  side  graphs  on  the  Megatek's  screen. 

The  ship's  engine  simulation  demonstrates  that  a  non-linear  system 
can  be  traced  solving  a  linear  set  of  differential  equations  forced  by 
non-linear  inputs.  This  is  discussed  in  Section  7.2.  In  Section  7.3 
it  is  shown  that,  when  the  model  includes  dependent  energy-storing 
components,  the  submodels  causalities  can  be  set  such  that  dervlative 
calculations  are  eliminated  at  the  expense  of  increasing  the  model's 
order. 

In  Section  7.4  it  is  shown  that  the  ac  system  and  model  power 
comparison,  is  advantageous  on  comparing  their  corresponding  effort  or 
flow  values.  The  sequential  and  simultaneous  failure  location  procedures 
are  demonstrated  and  evaluated  in  Section  7.5. 

7.2  Tracing  the  Non-Linear  Ship's  Engine  Simulation  by  Solving  a 

Linear  Set  of  Differential  Equations  ~~~~m 

The  ship's  engine  is  an  eighth  order  non-linear  simulation,  the 
state  equations  of  which  are  written  in  Appendix  B.  Tl  'on-linear 
terms  of  the  [A]  matrix  (equation  4.1)  are  functions  of  the  angular 
velocity  a>i  which  can  be  expressed  as: 

“1  ■  <7-') 

where  Y( 7)  and  J-|  are  the  momentum  and  moment  of  inertia  of  the  shaft 
connecting  the  turbine  to  the  generator,  respectively.  By  utilizing  • 
measurement  point  1,  FDLM  results  in  a  linear  set  of  differential 
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differential  equations  which  are  written  in  Appendix  C. 

The  non-linear  simulation  has  been  successfully  traced  by  the 
linear  equations.  The  simulated  outputs,  obtained  by  Increasing  the 
integration  time  step  by  a  factor  of  10,  are  satisfactory,  as  shown  in 
Figure  7.4. 

Since  utilizing  the  outputs  of  measurement  point  1  results  in  a 
linear  FDLM  model,  measurement  points  2,  3,  and  4  have  been  applied 
together  with  point  1,  as  shown  in  Figure  7.5a,  for  measurement  point  1 
and  2. 

7.3  Eliminating  Derivative  Calculations  When  Dependent  Energy  Storing 
Components  are  Included  in  the  Model 

Utilizing  measurement  points  2  and  3  are  examples  which  require 
derivative  calculations,  as  discussed  in  Section  4.3.  Since  the  simu¬ 
lation  Includes  stochastic  processes,  these  time  derivatives  cannot  be 
calculated.  To  eliminate  time  derivative  calculations,  the  causalities 
of  the  submodels  obtained  by  utilizing  measurement  points  1  plus  2  and 

1  plus  3  are  to  be  set  as  shown  in  Figure  7.5.  This  increases  the 
model's  order  from  8  to  14,  and  the  state  equations  of  FDLM  utilizing 
point  1  plus  2  are  written  in  Appendix  D. 

7.4  Comparing  ac  Power  Versus  Its  Corresponding  Effort  and  Flow 
Variables 

The  system  and  model  effort  and  flow  variables  of  measurement  points 

2  and  3  are  oscillatory  in  nature,  as  shown  in  Figure  7.6c  (for  the  voltage 
of  one  of  the  phases  at  point  2).  These  oscillations  cause  difficulties 

to  the  operator  to  perform  the  system  model  comparison  successfully. 
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Figure  7. 


The  system  and  model  outputs  of  FDIM  utilizing  measurement 
point  1.  The  non-linear  system  is  traced  by  a  linear  model 
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Figure  7.6  FDLM  system  and  model  outputs.  The  power  of 

measurement  point  2  in  7.6b,  and  the  alternating 
voltage  in  7.6c. 


Therefore,  it  is  proposed  (section  2.3)  to  display  to  the  operator  the 
system-model  power  values,  as  shown  In  Figure  7.6b  which  are  relatively 
constant. 

7.5  Different  Failure  Location  Procedures 

The  ship's  engine  simulation  enables  demonstrating  the  sequential 
and  simultaneous  failure  location  procedures,  discussed  in  Section  2.3. 

A  sequential  and  simultaneous  location  procedures  of  a  single  system 
failure  are  depicted  in  Figures  7.7  and  7.8,  respectively.  The  three 
FDLM  sequential  tests  shown  In  Figure  7.7a-c  Indicate  that  the  switch 
has  failed.  This  failure  was  located  227  Seconds  after  It  had  been  In¬ 
troduced.  In  contrast,  the  simultaneous  FDLM  application  (Figure  7.8) 
results  In  locating  the  defective  switch  5  seconds  after  It  has  failed. 

The  FDLM  capability  to  locate  a  multiple  system  failure  Is  demon¬ 
strated  in  Figures  7.9  and  7.10.  The  sequential  FDLM  tests  (Figure 
7.9a-d)  Indicate  that  the  ac  generator  and  motor  have  failed.  The  re¬ 
results  of  these  tests  are  obtained  109  seconds  after  the  system  failures 
were  introduced.  These  results  do  not  clearly  determine  whether  is  or 
Is  not  defective. 

However,  by  utilizing  the  FDLM  tests  simultaneously,  4  seconds 
after  introducing  the  failures  it  becomes  clear  that  the  ac  generator 
and  motor  have  failed,  and  the  switch's  status  Is  normal. 

These  two  examples  demonstrate  that  the  simultaneous  FDLM  appli¬ 
cation  Identifies  the  failure  locations  soon  after  they  have  occurred. 
Furthermore,  In  multiple  failures,  ambiguous  results  of  the  FDLM 

sequential  tests  are  resolved  by  applying  simultaneous  FDLM  mode. 
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Figure  7.7c  FDLM  sequential  test  application  utilizing  measurement 
points  1  plus  3.  The  failure  is  to  the  left  of  point 
Hence,  the  failure  Is  between  point  2  to  3. 
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Figure  7.9a  FDLM  sequential  test  application  utilizing 
measurement  point  1.  The  failure  is  to  the 
right  of  point  1 . 
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Figure  7.9b  FDLM  sequential  test  anplication  utilizing 
measurement  points  1  plus  2.  There  is  a 
multiple  failure  between  points  1  and  2  and 
to  the  left  of  point  2. 
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Figure 


.9c  FDLM  seauential  test  application  utilizino  measurement 
points  1  plus  3.  There  is  a  multiple  failure  between 
points  1  and  3  and  on  the  right  of  point  3. 


Figure  7.10  FDLM  simultaneous  test  application.  There  is 
a  multiple  failure  between  points  1  and  2  and 
points  3  and  4. 


CHAPTER  8 


CONCLUSIONS  AND  FUTURE  WORK 

A  new  method  which  detects  and  locates  system  failures  In  real  time  is 
introduced  in  this  thesis.  This  method  is  called  Failure  Detection  and 
Location  Method  (FDLM).  Significant  deviations  of  the  measured  system 
power  variables  from  their  normal  values  constitutes  the  definition  of  a 
system  failure.  FDLM  detects  a  failure  by  comparing  the  measured 
variables  with  the  outputs  of  a  computerized  model  of  the  system's  normal 
operational  mode.  To  locate  the  causes  of  the  failure  the  model  is 
disaggregated  and  according  to  the  causalities  of  the  resultant  submodels, 
the  measured  system  outputs  are  used  as  the  submodel 's  Inputs.  The  power 
covariables  of  these  inputs  are  the  submodel  outputs  which  are  compared 
with  their  corresponding  system  measured  variables.  Only  the  outputs  of 
the  submodels  in  which  the  failure  causes  are  located  deviate  from  their 
corresponding  measured  system  variables.  This  enables  FDLM  to  detect  and 
locate  system  failures  by  utilizing  a  single  computerized  model  of  the  system' 
normal  operational  mode,  and  its  measured  system  outputs. 

FDLM  can  Identify  m+1  system  failure  locations,  where  m  Is  the  number 
of  available  measurement  points.  Thus  the  number  of  measurement  points 
determines  how  fine  the  locations  of  system  failures  can  be  Identified. 

This  Is  similar  to  the  Failure  Sensitive  Filter  technique,  where  the  number 
of  measurement  points  determines  the  number  of  failure  modes  which  can  be 
detected  by  a  single  filter. 


FDLM  can  be  applied  to  two  distinct;  sequential  and  simultaneous 
inodes.  In  the  sequential  mode.  FDLM  utilizes  the  outputs  of  each  measure¬ 
ment  point  sequentially.  Here  the  number  of  compared  system  model  out¬ 
puts  Is  minimized,  but  the  location  procedure  Is  extensive.  The  simul¬ 
taneous  FDLM  mode  utilizes  all  the  available  system  measurement  points  at 
once.  This  results  In  fast  location  but  requires  a  comparison  of  many 
system  and  model  outputs.  In  practical  applications  a  combination  of  the 
simultaneous  and  sequential  FDLM  modes  Is  recommended.  An  advantage  of 
the  FDLM  sequential  mode  Is  its  capability  to  distinguish  between  system 
and  sensor  failures.  To  detect  system  failures,  one  has  first  to  validate 
the  measurements,  and  use  the  validated  signals  to  detect  and  locate 
system  failures.  FDLM  assumes  that  the  measured  system  outputs  have  been 
validated  by  other  available  techniques. 

Where  systemfallure  is  defined  to  be  a  process  which  causes  the 
values  of  the  system  transferred  power  to  deviate  from  the  normal  values. 
Such  deviations  can  be  detected  by  comparing  the  system  with  a  single 
model  of  its  normal  operational  mode.  Constructing  only  one  model  is 
an  advantage  which  requires  the  completion  of  the  failure  location  task 
before  the  failed  system  outputs  wander  too  far  from  their  normal  ranges. 
This  can  be  achieved  by  early  failure  detection  and  efficient  location 
procedure. 

To  obtain  early  failure  detection  FDLM  is  proposed  to  be  applied  to 
continuously  monitored  dynamic  systems  such  as  power  plants,  airplanes 
and  ships.  This  system  Is  to  be  continuously  compared  with  a  computerized 
model  during  their  operation.  Failure  detection,  based  on  deviations  from 
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a  model  is  in  contract  to  fault/event  tree  analysis  where  failure  is  de¬ 
tected  when  measured  system  outputs  reach  their  safety  limit  or  abnormal 
range. 

To  obtain  an  efficient  failure  location  procedure,  it  is  proposed 
to  cut  the  model  such  that  the  relative  positions  of  its  state  variables 
during  the  location  procedure  will  not  be  changed.  This  requires  that  the 
model  be  cut  Into  submodels  such  that  each  submodel  contains  a  minimum 
number  of  state  variables  (one  if  possible).  It  is  shown  in  this  work 
that  the  multiple  cut  approach  also  overcomes  the  problem  of  low  sensi¬ 
tivity  of  system  parameters. 

Sensitivity  Is  a  measure  of  the  size  of  a  detectable  failure.  It 
depends  on  the  noise  levels  of  the  measured  system  outputs,  and  the 
quality  of  the  compared  computerized  model.  In  practical  FDLM  applications, 
a  detailed  model  may  detect  small  system  model  deviations  but  might  require 
lengthy  calculations  and  as  a  result,  would  not  be  implemented  In  real  time. 
The  questions  of  how  detailed  the  model  has  to  be,  should  be  addressed  in 
every  FDLM  application. 

FDLM  determines  the  status  of  a  physical  system  by  testing  relatively 
few  of  its  outputs.  Therefore,  FDLM  is  a  promising  candidate  of  the 
desired  Nuclear  Plant  Surveillance  and  Diagnostic  System  (NPSDS)  [15], 
which  Is  under  development  now.  NPSDS  Is  designed  to  reduce  the  number 
of  displayed  variables  In  nuclear  power  control  rooms. 

FDLM,  when  utilizing  certain  system  measured  outputs  transforms  a 
non-linear  model  into  a  linear  set  of  differential  equations,  forced  by 


non-linear  Inputs.  This  approach  results  in  capabilities  to  detect  fail¬ 
ures  of  non-linear  dynamic  system  by  solving  linear  set  of  differential 
equations. 

Calculating  time  derivatives  of  measured  system  outputs  cannot  be 
performed  when  the  outputs  are  changing  their  values  rapidly  (not  smooth 
functions).  These  derivative  calculations  can  be  eliminated  by  setting 
the  causalities  of  the  submodels  promptly.  This  is  achieved  at  the  ex¬ 
pense  of  increasing  the  number  of  the  model  state  variables. 

FDLM  was  successfully  applied  to  mul ti connected  physical  systems  with 
bi-  and  uni-lateral  energy  bonds.  It  is  shown  how  to  expand  FDLM  to  be 
applicable  to  systems  with  multi-lateral  energy  bonds.  In  the  future,  it 
is  planned  to  apply  FDLM  to  part  of  a  fossil  power  plant,  where  the  multi¬ 
lateral  FDLM  applications  will  be  tested. 

While  FDLM  was  designed  to  detect  system  failure.  It  can  also  be  used 
in  a  reverse  way  to  update  the  model  when  the  system  is  readjusted  and 
model  calibration  Is  required. 

A  Bayesian  statistical  model  was  incorporated  into  FDLM  and  evaluated. 
This  model  calculates  the  probability  that  the  system  failed.  This 
probability  was  found  to  be  very  useful.  By  displaying  the  probability 
to  human  operators  as  an  odds  ratio  (failure/nonfailure) ,  their  miss  and 
false-alarm  rates,  as  well  as  their  reaction  times  can  be  improved  sig¬ 
nificantly. 

The  probability  display  can  be  used  as  a  computerized  alarm  system 
which  will  call  the  operator's  attention,  once  the  odds  ratio  exceeds 


a  preset  critical  calue.  The  operator's  task  will  be  to  use  FDLM  and 
to  confirm  the  location  of  the  failure  causes.  The  location  can  be  identi¬ 
fied  up  to  two  adjacent  measurement  points.  To  identify  the  system's 
defective  components,  Inbetween  measurement  points,  a  simple  fault/event 
tree  analysis  of  the  defective  subsystem,  and  the  operator's  experience 
should  be  utilized. 

In  the  future  it  is  reconmended  to  apply  FDLM  to  a  real  thermo- 
fluidic  system.  In  this  application  FDLM  should  be  coupled  with  the 
available  diagnostic  methods  which  will  be  used  to  validate  sensor 
signals,  and  detect  failures  between  components  between  measurement  points. 
The  efficiency  and  reliability  of  this  combined  diagnostic  system  should 
be  tested,  and  its  sensitivity  to  a  choice  of  measurement  points,  noise 
level,  and  model  simplifications  should  be  analyzed. 
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APPENDIX  A 


INSTRUCTIONS  TO  THE  EXPERIMENTAL  SUBJECTS 

Purpose 

This  experiment  explores  what  information  should  be  displayed 
to  an  operator  of  a  plant  such  that  plant  failures  can  easily  be  de¬ 
tached. 

Background 

You  are  participating  in  an  experiment  in  which  your  task  is 

to  detect  failures  in  a  hydroelectric  plant  system.  The  system,  shown 

in  Figure  A. 1,  utilizes  hydraulic  power  to  generate  electricity.  To  de- 
% 

tect  failures  in  this  system,  measured  system  outputs  and  their  corres¬ 
ponding  model  variables  are  to  be  displayed  on  a  CRT  screen  as  a  func¬ 
tion  of  time.  In  our  case  the  measured  variables  are  the  torque  and 
the  angular  velocity  of  the  generator's  shaft  (as  marked  in  Figure  A.l). 


Figure  A.l  A  description  of  the  hydraulic-mechanical- 
electrical  system. 


The  measured  system  outputs  are  noisy  in  nature,  whereas  the  model 
outputs  are  either  noisy  or  smooth.  That  is,  the  model  angular 
velocity  Is  smooth  wheras  the  torque  is  noisy.  When  the  model  output 
is  noisy,  a  system  failure  results  in  a  discrepancy  between  the  system 
and  the  model  outputs  inmedlately.  On  the  other  hand,  when  the  model 
output  is  smooth,  the  discrepancy  appears  only  after  a  time  delay. 

The  time  delay  in  our  case  is  about  15  seconds.  The  experiment  con¬ 
sists  of  two  sessions,  one  devoted  to  smooth  model  output,  and  one  to 
noisy  output. 

To  explore  the  effect  of  noise  on  a  failure  detection  task  different 
kinds  of  output  can  be  displayed: 

1.  Raw  output  variables. 

2.  Averaged  model  output. 

3.  Averaged  system  and  model  outputs. 

Averaging  the  output  is  a  simple  way  to  smooth  out  the  noise.  In  this 
experiment  these  three  displays  will  appear  equally  in  random  order. 

The  effect  of  providing  additional  digital  information  is  to  be 
determined.  Two  kinds  of  digital  displays  will  be  tested. 

1.  The  ratio  of  failure  to  no-failure  probabilities  [p(Fallure)/ 
P(No-fallure)].  This  ratio  is  smaller  than  1  when  p(Fa11ure 
is  smaller  than  0.5,  and  larger  than  1  when  p(Failure)  is 
larger  than  0.5. 

2.  The  time  during  which  the  ratio  of  probabilities  exceeds  1. 

Each  session  will  consist  of  four  combinations  of  the  digital 


displays: 


1.  No  digital  Information  provided. 

2.  Ratio  of  probabilities  Is  displayed. 

3.  The  time  during  which  the  ratio  of  probabilities  exceeds 
1  Is  displayed. 

4.  Ratio  of  probabilities  and  the  time  during  which  It  exceeds 
1  are  displayed. 

The  type  of  digital  Information  provided  will  be  written  on  the 
screen. 

In  this  experiment  It  Is  assumed  that  the  hydroelectric  plant  Is 
still  being  tested  and,  as  such.  Is  very  unreliable.  The  probability 
that  the  system  has  failed  Is  0.5.  Thus  In  50%  of  the  experimental 
trials  the  system  is  defective. 

Using  all  the  Information  displayed  on  the  screen,  you  have  to  de¬ 
cide  whether  the  system  In  any  particular  trial  Is,  or  is  not  defective 

Experimental  Details 

The  experiment  Is  to  be  performed  In  two  sessions.  Each  session 
consists  of  4  modes,  differing  In  the  digital  information  displayed. 
There  are  60  experimental  trials  In  each  mode.  To  establish  a  certain 
level  of  familiarity  with  the  system  each  one  of  the  modes  will  start 
with  10  practice  trials.  In  these  trials  you  will  be  notified  whether 
or  not  you  made  the  right  decision. 

There  are  2  control  buttons: 

1 .  Start 


2.  Alarm. 


Each  trial  Is  Initiated  by  pressing  the  Start  button.  The 
Alarm  button  should  be  pressed  as  soon  as  a  system  failure  Is  detected. 
The  total  time  for  each  trial  Is  35  seconds.  Pressing  the  Alarm  after 
the  35  seconds  does  not  count.  Attempt  to  avoid  false  alarms.  That  is, 
do  not  press  the  Alarm  button  unless  you  detect  a  failure.  Speed  and 


accuracy  are  of  equal  Importance. 
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APPENDIX  B:  SHIP’S  ENGINE  SIMULATION 
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The  bond  graph  description  of  the  ship's  engine  is  depicted  In 
Figure  B.l.  This  is  an  eighth  order  non-linear  simulation,  and  the  state 
equations  can  be  written  as: 

y(l)  ■  (-P-y(7)  -  2V  R;  y(1)  --^S_y(8))/(1  ♦ -J^-) 
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t  is  the  current  time  and  is  the  torque  applied  to  the  gen¬ 
erator's  shaft.  x^n  is  calculated  using  Markunas's  model  of  gas  tur¬ 
bines  [31].  This  model  can  be  written  as: 
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APPENDIX  C:  UTILIZING  MEASUREMENT  POINT  1  IN 
APPLYING  FDLM  TO  THE  SHIP'S  ENGINE 


FDLM  cut  model  using  measurement  point  1  Is  shown  In  Figure  C.l.  The 
state  equations  of  this  model  can  be  written  as: 
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and  Is  calculated  by  using  equations  (B.3) 
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APPENDIX  D 

UTILIZING  MEASUREMENT  POINTS  1  AND  2 
IN  APPLYING  FDLM  TO  THE  SHIP'S  ENGINE 


The  FDLM  cut  model  using  measurement  points  1  and  2  is  shown  in  Figure 
.  The  state  equations  of  this  cut  model  can  be  written  as: 
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where  t^n  Is  calculated  by  using  equations  B.3,  and  G10-G310  are 
calculated  by  solving  equations  (C.2). 
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